GHSA-w9rv-xc8m-cmqp · Severity: high — Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the...
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Conclusion & alert: CVE-2025-69421 is rated Moderate Risk (49/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.82%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.08% | 0.82% | +0.74% |
| 2 | 2026-05-13 | 0.03% | 0.08% | +0.05% |
| 3 | 2026-03-21 | — | 0.03% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-w9rv-xc8m-cmqp · Severity: high — Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the...
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2025-69421: 1 source package rows (openssl); 147 state rows across 6 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, 3.23-main, edge-main); fixed 5, open 142. | https://security.alpinelinux.org/vuln/CVE-2025-69421 |
debian
|
not yet assigned | CVE-2025-69421 not yet assigned priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2025-69421 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2025-69421 |
suse
|
medium | CVE-2025-69421 severity moderate: SUSE including 460 source package names (1.1.1-1.15:libopenssl3-3.2.3-150700.5.24.1, 1.1.1-1.15:openssl-3-3.2.3-150700.5.24.1, …), 1475 product×package rows across 300 product lines (Container private-registry/harbor-core, Container private-registry/harbor-exporter, … (300 product lines)): Fixed 1172, Known Affected 231, Known Not Affected 65, First Fixed 7. | https://www.suse.com/security/cve/CVE-2025-69421/ |
ubuntu
|
low | CVE-2025-69421 low priority: Ubuntu including 4 source packages (edk2, nodejs, openssl, openssl1.0), 32 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): not-affected 11, released 9, needs-triage 5, DNE 4, ignored 2, needed 1. | https://ubuntu.com/security/CVE-2025-69421 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| openssl | openssl | >= 1.0.2, < 1.0.2zn | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 1.1.1, <= 1.1.1ze | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 3.0.0, < 3.0.19 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 3.3.0, < 3.3.6 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 3.4.0, < 3.4.4 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 3.5.0, < 3.5.5 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 3.6.0, < 3.6.1 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |