Improper validation of PBMAC1 parameters in OpenSSL PKCS#12 MAC verification
OpenSSL contains an input-validation flaw in PKCS#12 MAC verification when processing PKCS#12 files that use PBMAC1. During verification, PBKDF2 salt and keylength parameters are taken from the file without proper validation. If the attacker-controlled keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), key derivation can overflow that stack buffer. Additionally, if the salt parameter is not encoded as an OCTET STRING, the code path can trigger an invalid pointer or NULL pointer dereference. The issue affects OpenSSL 3.6, 3.5, and 3.4; OpenSSL 3.3, 3.0, 1.1.1, and 1.0.2 are not affected because they do not support PBMAC1 in PKCS#12. OpenSSL FIPS modules in 3.6, 3.5, and 3.4 are not affected because PKCS#12 processing is outside the FIPS module boundary.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a real proof-of-concept for CVE-2025-11187, a stack buffer overflow in OpenSSL 3.x PKCS#12 PBMAC1/PBKDF2 handling. The bug is described as occurring when an attacker controls the PBKDF2 keylength embedded in PBMAC1 parameters; OpenSSL later uses that oversized key length in MAC generation/verification, causing a write past a fixed-size stack buffer in libcrypto (notably pkcs12_gen_mac() / PBMAC1_PBKDF2_HMAC in crypto/pkcs12/p12_mutl.c, with the overflow surfacing in PBKDF2 code paths). Repository structure is small and focused: three C PoCs under src/, build instructions in a Makefile, reproduction notes in docs/, sanitizer/crash logs in logs/, and a patch diff in patch/ showing the intended remediation. The default build target is src/poc_public.c, which is the main public PoC. It constructs a minimal PKCS#12 object in memory, calls PKCS12_set_pbmac1_pbkdf2() to initialize PBMAC1, then manually unpacks and rewrites the embedded PBKDF2 parameters so keylength becomes attacker-controlled. It finally invokes PKCS12_verify_mac(), which triggers the vulnerable path. The CLI accepts <keylength> [iter] [digest], making it easy to test values like 4096, 1000, sha256. The internal PoCs are more direct. src/poc_internal.c uses internal OpenSSL structures/headers to build a PKCS#12 object, replace the MAC algorithm parameters with a crafted PBMAC1PARAM containing a large key length, and then call PKCS12_verify_mac(). src/poc_internal_cli.c similarly exposes keylength, iteration count, and digest via command line, but calls PKCS12_gen_mac() instead of verify, demonstrating the same unsafe handling from a slightly different path. There are no network capabilities, C2, remote callbacks, or external service endpoints. The attack vector is local/file-based: a malicious PKCS#12 structure is created in memory to emulate parsing or verifying a hostile PKCS#12 file. The included logs show UBSan/ASan traces confirming undefined behavior and a stack-buffer-overflow, with the key buffer in pkcs12_gen_mac() being overrun. The patch diff adds a simple bounds check rejecting key lengths <= 0 or greater than EVP_MAX_MD_SIZE before invoking PKCS5_PBKDF2_HMAC, which aligns with the demonstrated root cause. Overall, this is a focused denial-of-service memory-corruption PoC repository for OpenSSL PKCS#12 PBMAC1 handling, intended for vulnerability reproduction and validation rather than post-exploitation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A PKCS#12 PBMAC1 PBKDF2 KeyLength overflow that can lead to MAC verification bypass.
An OpenSSL example CVE referenced as part of the broader disclosure set, but not detailed in this content.
An OpenSSL vulnerability patched by upgrading to OpenSSL 3.6.1 in IPFire Core Update 200.
Unknown (listed among related OpenSSL CVEs, but not described in the content).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.