CVE-2025-15469 — Improper Verification of Cryptographic Signature in Openssl

CWE-347 — Improper Verification of Cryptographic Signature CWE-1284 — Improper Validation of Specified Quantity in Input CWE-476 — NULL Pointer Dereference14 documents10 sources

Severity

5.5MEDIUMNVD

OSV6.1

EPSS

0.0%

top 99.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl

Timeline

PublishedJan 27

Description

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed2551…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5openssl/openssl3.6.0 — 3.6.1+1

▶NVDopenssl/openssl3.5.0 — 3.5.5+1

▶Alpineopenssl/openssl< 3.5.5-r0+1

▶Debianopenssl/openssl< 3.5.4-1~deb13u2+1

▶Ubuntuopenssl/openssl< 3.0.2-0ubuntu1.21+6

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

openssl, openssl1.0 vulnerabilities↗2026-01-27

▶

CVEList

'openssl dgst' one-shot codepath silently truncates inputs >16MB↗2026-01-27

▶

OSV

CVE-2025-15469: Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success i↗2026-01-27

▶

OSV

openssl vulnerabilities↗2026-01-27

▶

GHSA

GHSA-v2vr-926q-29fr: Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success i↗2026-01-27

▶

📋Vendor Advisories

Red Hat

openssl: OpenSSL: Data integrity bypass in `openssl dgst` command due to silent truncation↗2026-01-27

▶

Ubuntu

OpenSSL vulnerabilities↗2026-01-27

▶

BSD

FreeBSD-SA-26:01.openssl: Multiple vulnerabilities in OpenSSL↗2026-01-27

▶

Ubuntu

OpenSSL vulnerabilities↗2026-01-27

▶

Debian

CVE-2025-15469: openssl - Issue summary: The 'openssl dgst' command-line tool silently truncates input dat...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-15469 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶