PKCS7 is a container format that pops up in a couple places in the TLS ecosystem (also in code signing); anywhere you need a secure blob that includes metadata. It's a very widely used format.

AEAD ciphers are those that simultaneously encrypt and authenticate data. AES-GCM is the most popular; Chapoly is the 2nd most popular. AEAD ciphers are how modern programs do encryption.

AEAD ciphers all rely on additional parameters, most commonly a nonce; it's critical to security that the nonce only ever be used once with a given key. You need the nonce to decrypt the AEAD ciphertext, so it's usually tacked on to the message (in more clever formats you can derive it contextually, but PKCS7 is a general-purpose format).

In parsing PKCS7 messages, when OpenSSL comes across AEAD-encrypted blobs, it needs to parse out the nonce. AEAD nonces tend to have fixed sizes, but there are extended-nonce variants of AEADs, and the format allows for arbitrary-sized values. OpenSSL assumed a fixed nonce size, but parsed with a library that handled arbitrary-sized values. Stack overflow.

A maliciously formatted Authenticode signature, certificate chain, OCSP response (I think?), all things that could trigger the bug.

Services that process CMS[1] or PKCS#7 envelopes may be vulnerable to this bug. The most common example of these is S/MIME (for signed/encrypted email), but PKCS#7 and CMS show up in all kinds of random places.

(Unless I'm missing something, a key piece of context here is that CMD/PKCS#7 blobs are typically allowed to select their own algorithms, at least within an allowlist controlled by the receiving party. So the fact that it depends on an AEAD-specific parameter encoding is probably not a huge hurdle for someone looking to exploit this.)

[1]: https://datatracker.ietf.org/doc/html/rfc5652

[2]: https://datatracker.ietf.org/doc/html/rfc2315

[dead]