MNBSD-2026-38: out-of-bounds write in PKCS12_get_friendlyname() UTF-8 conversion

Severity: Unknown

Affected Package: openssl

Summary: out-of-bounds write in PKCS12_get_friendlyname() UTF-8 conversion

Description

Calling PKCS12_get_friendlyname() on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing a non-ASCII BMP code point can trigger a one-byte write before the allocated buffer, causing memory corruption (Denial of Service). Severity: Low (OpenSSL).

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2025-69419

Published: June 11, 2026
Last Modified: June 11, 2026