How to fix CVE-2025-69421?

Within 24 hours: Identify all systems processing PKCS#12 files and assess exposure. Within 7 days: Apply the available vendor patch to all affected systems during scheduled maintenance windows. Within 30 days: Complete patch deployment across all environments and validate functionality through certificate import testing.

Is OpenSSL affected by CVE-2025-69421?

CVE-2025-69421 is a denial-of-service vulnerability affecting applications that process PKCS#12 certificate files. Organizations using affected systems risk service disruptions if attackers submit malformed certificate files, potentially impacting authentication, VPN access, or other PKI-dependent…

CVE-2025-69421

HIGH

2026-01-27 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch Released

Feb 28, 2026 - 04:16 nvd

Patch available

CVE Published

Jan 27, 2026 - 16:16 nvd

HIGH 7.5

Description

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Analysis

Technical Context

Classified as CWE-476 (NULL Pointer Dereference). Affects Openssl. Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer

dereference in the PKCS12_item_decrypt_d2i_ex() function.

Impact summary: A NULL pointer dereference can trigger a crash which leads to

Denial of Service for an application processing PKCS#12 files.

The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct

parameter is NULL before dereferencing it. When called from

PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can

be NULL, cau

Affected Products

Vendor: Openssl. Product: Openssl.

Remediation

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

Vendor Status

CVE-2025-69421 vulnerability details – vuln.today

Back

CVE-2025-69421

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-69421

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code