Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12.
Conclusion & alert: CVE-2025-11187 is rated Low Risk (25.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-01-28 | — | 0.02% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.1 | 3.1 | MEDIUM |
|
1.3 | 4.7 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2025-11187: 1 source package rows (openssl); 17 state rows across 3 repos (3.22-main, 3.23-main, edge-main); fixed 3, open 14. | https://security.alpinelinux.org/vuln/CVE-2025-11187 |
debian
|
unimportant | CVE-2025-11187 unimportant priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2025-11187 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2025-11187 |
suse
|
high | CVE-2025-11187 severity important: SUSE including 310 source package names (16.3-1.20:libopenssl-3-fips-provider-3.5.0-160000.5.1, 16.3-1.20:libopenssl3-3.5.0-160000.5.1, …), 749 product×package rows across 92 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sles/16.0/toolbox, … (92 product lines)): Known Not Affected 319, Known Affected 231, Fixed 191, First Fixed 8. | https://www.suse.com/security/cve/CVE-2025-11187/ |
ubuntu
|
medium | CVE-2025-11187 medium priority: Ubuntu including 4 source packages (edk2, nodejs, openssl, openssl1.0), 32 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): not-affected 18, needs-triage 5, DNE 4, ignored 2, released 2, needed 1. | https://ubuntu.com/security/CVE-2025-11187 |