openssl-3.6.1 (Security update)

[Bruce Dubbs]

New point version.

​https://github.com/openssl/openssl/releases/tag/openssl-3.6.1

The most severe CVE fixed in this release is High.

12 CVEs!!!

[Bruce Dubbs]

Fixed at commit 54cfa41a9b.

[Bruce Dubbs]

This is fixed in the git repository but reopening for a security advisory.

[Bruce Dubbs]

# Changes between 3.6.0 and 3.6.1 [27 Jan 2026]

• Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.

Severity: Moderate

Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification.

Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations.

([CVE-2025-11187])

• Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.

Severity: High

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.

Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.

([CVE-2025-15467])

• Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.

Severity: High

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.

Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.

([CVE-2025-15467])

• Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.

Severity: Low

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs.

Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service.

([CVE-2025-15468])

• Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.

Severity: Low

Issue summary: The openssl dgst command-line tool silently truncates input data to 16 MiB when using one-shot signing algorithms and reports success instead of an error.

Impact summary: A user signing or verifying files larger than 16 MiB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16 MiB remains unauthenticated.

([CVE-2025-15469])

• Fixed TLS 1.3 CompressedCertificate excessive memory allocation.

Severity: Low

Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit.

Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service).

([CVE-2025-66199])

• Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.

Severity: Low

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write.

Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application.

([CVE-2025-68160])

• Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB function calls.

Severity: Low

Issue summary: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag, allowing an attacker to read or tamper with those bytes without detection.

([CVE-2025-69418])

• Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.

Severity: Low

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer.

Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service.

([CVE-2025-69419])

• Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() function.

Severity: Low

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file.

Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

([CVE-2025-69420])

• Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.

Severity: Low

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function.

Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files.

([CVE-2025-69421])

• Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.

Severity: Low

Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.

Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service.

([CVE-2026-22795])

• Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function.

Severity: Low

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data.

Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

([CVE-2026-22796])

• RISC-V capabilities string format has changed to include the base architecture and the vector length for the V extension. <!-- ​https://github.com/openssl/openssl/pull/28760 -->

• Fixed a regression in X509_V_FLAG_CRL_CHECK_ALL flag handling by restoring its pre-3.6.0 behaviour of being ignored when X509_V_FLAG_CRL_CHECK flag is not set, and no longer implying the latter flag instead.

• Fixed a regression that caused generation of empty stapled OCSP responses

when at least one certificate in the certificate chain had a stapled OCSP response present, causing handshake failures for OpenSSL 3.6.0 servers with various client implementations, including GnuTLS and BoringSSL. <!-- ​https://github.com/openssl/openssl/pull/28955 -->

• Fixed exit code of openssl x509 command with -checkend option in use. <!-- ​https://github.com/openssl/openssl/pull/29155 -->

• Fixed incorrect acceptance of some malformed ECDSA signatures on s390x. <!-- ​https://github.com/openssl/openssl/pull/29214 -->

• Source code has been reformatted with clang-format. <!-- ​https://github.com/openssl/openssl/pull/29245 -->

• Reverted a change in behaviour of the single stapled OCSP response API with respect to the ownership of the OCSP response object that caused a memory leak. <!-- ​https://github.com/openssl/openssl/pull/29251 -->

[zeckma]

SA-12.4-078 issued.

[Bruce Dubbs]

Milestone renamed