CVE-2025-69419

Public on 2026-01-27

Modified on 2026-01-27

Description

Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer.

Severity

Medium

See what this means

CVSS v3 Base Score

6.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Core	edk2	2026-02-19	ALAS2-2026-3150	Fixed
Amazon Linux 2 - Core	openssl			Not Affected
Amazon Linux 2023	openssl	2026-02-18	ALAS2023-2026-1434	Fixed
Amazon Linux 2023	openssl-fips-provider-certified			Not Affected
Amazon Linux 2 - Openssl-snapsafe Extra	openssl-snapsafe			Not Affected
Amazon Linux 2 - Core	openssl11	2026-02-19	ALAS2-2026-3169	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2025-69419 Mitre: CVE-2025-69419