CVE-2025-15467 HIGH openssl buffer overflow

irvinewade · January 30, 2026, 4:01am

CVE: https://www.cve.org/CVERecord?id=CVE-2025-15467

You should have already seen an update to openssl come through in the last few days. However the package version numbering may not match what is listed in the CVE. So best to check your specific distro.

I haven’t heard of anyone having converted buffer overflow into remote code execution into exploit in the wild but the best exploiters ensure that that is the case i.e. undetected.

coffeeanon · February 9, 2026, 11:45pm

I have not received an openssl update since Sept 2023 according to

openssl version

on Byzantium. Is there something else I should check?

irvinewade · February 10, 2026, 12:20am

I think that date is unhelpful / bogus. Even on my computer it is showing Jan 2024 despite the fact that I know an update came through within the last few weeks (in my case Jan 29 this year). In my case, I think what happened is that the fix was backported to a much earlier version of openssl and the date output therefore reflects the date on the original earlier version.

Refer /var/log/apt/history.log for the actual package upgrade date.

However for me that log file is rotating about monthly and I already need to view an earlier file with

gunzip -c /var/log/apt/history.log.1.gz | grep -B 2 openssl

YMMV.

coffeeanon · February 10, 2026, 12:43am

Thanks for the reply

Checked /var/log/apt/history logs. Nothing. I get the Debian security list notifications and so the time should be @ Jan 27 or after for the openssl update. Nada. I updated a bunch of python pkgs a few days ago…

/usr/bin/openssl has a date of Oct 3 2025(?)

Maybe byzantium has not issued a fix yet?

irvinewade · February 10, 2026, 1:12am

Hmmm. Debian appears to be saying “Vulnerable code introduced later” and “not affected” and “OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.” Source: CVE-2025-15467

So what version of OpenSSL does the output from openssl version identify?

Ironically, that could mean that byzantium is too old to be vulnerable in this specific case but maybe crimson is vulnerable.

coffeeanon · February 10, 2026, 7:28pm

You’re right. Byzantium’s OpenSSL 1.1.1w is not affected, per the openssl advisory

https://openssl-library.org/news/secadv/20260127.txt

…and now I realize I may need to dig deeper for every relevant pkg security notification from Debian.

Your replies have been much appreciated.