Critical OpenSSL Vulnerabilities Expose Sensitive Data in RSA KEM Handling
Key Takeaways OpenSSL has released a critical security update addressing seven vulnerabilities, including a moderate-severity flaw in RSA KEM handling. The primary vulnerability, CVE-2026-31790,...
Key Takeaways
- OpenSSL has released a critical security update addressing seven vulnerabilities, including a moderate-severity flaw in RSA KEM handling.
- The primary vulnerability, CVE-2026-31790, could leak sensitive uninitialized memory to attackers due to improper error checking during RSA KEM encapsulation.
- Affected OpenSSL versions include 3.0, 3.3, 3.4, 3.5, and 3.6, with patches available in versions 3.0.20, 3.3.7, 3.4.5, 3.5.6, and 3.6.2.
- Organizations are urged to update immediately and implement public key validation as a mitigation strategy.
OpenSSL has released a comprehensive security update for April 2026, addressing a total of seven vulnerabilities across its active branches. Among these, a moderate-severity flaw, identified as CVE-2026-31790, stands out due to its potential for sensitive data exposure in specific RSA Key Encapsulation Mechanism (KEM) operations.
Table Of Content
The advisory from OpenSSL urges users of vulnerable 3.x releases to upgrade to the latest patched versions: OpenSSL 3.0.20, 3.3.7, 3.4.5, 3.5.6, or 3.6.2, depending on their specific branch.
Critical RSA KEM Flaw Risks Data Leakage
The most significant issue, CVE-2026-31790, impacts applications that utilize EVP_PKEY_encapsulate() with RSA/RSASVE to derive a shared secret. The vulnerability arises when an application processes an attacker-controlled RSA public key without prior validation.
OpenSSL explained that the root cause is an incorrect return-value check. Specifically, RSA_public_encrypt() returns -1 upon failure, but the affected code only verifies if the return value is non-zero. This oversight allows a cryptographic encapsulation operation to appear successful even when the underlying encryption process has failed.
This logical error poses a severe risk for developers who use caller-supplied ciphertext buffers. If the RSA operation fails, the API might still incorrectly set output lengths and return control as if a valid KEM ciphertext was generated. This leaves stale or uninitialized memory bytes in the ciphertext buffer, which are then inadvertently sent back to the malicious peer.
As OpenSSL warned, these exposed bytes could contain sensitive data from previous application process executions. What appears to be a failed cryptographic operation thus transforms into a critical data leakage vulnerability.
The vendor confirmed that OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6 are susceptible to this flaw. Older versions, OpenSSL 1.0.2 and 1.1.1, remain unaffected. Furthermore, FIPS modules in versions 3.6, 3.5, 3.4, 3.3, 3.1, and 3.0 are also impacted, extending the concern beyond general deployments to regulated environments that rely on certified cryptographic boundaries.
As an immediate protective measure, OpenSSL advises developers to invoke EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before calling EVP_PKEY_encapsulate().
This recommendation is crucial because successful exploitation hinges on the application accepting an invalid, attacker-controlled RSA public key. Consequently, environments that already validate imported public keys are significantly better protected than those that implicitly trust all key material.
Additional Low-Severity Patches
In addition to the moderate-severity RSASVE bug, OpenSSL addressed six low-severity vulnerabilities. While these issues are more situational, they remain important for organizations monitoring their library exposure.
The patched low-severity flaws include: an out-of-bounds read in AES-CFB-128 on x86-64 systems with AVX-512 and VAES support (CVE-2026-28386); a use-after-free vulnerability in uncommon DANE client configurations (CVE-2026-28387); a delta CRL NULL dereference (CVE-2026-28388); two CMS NULL dereference issues affecting KeyAgreeRecipientInfo and KeyTransportRecipientInfo handling (CVE-2026-28389 and CVE-2026-28390); and a heap buffer overflow during oversized OCTET STRING hexadecimal conversion on 32-bit platforms (CVE-2026-31789).
Most of these issues primarily lead to denial-of-service conditions. However, they underscore a persistent risk pattern in cryptographic libraries: edge-case parsing and error-handling paths often become attack vectors when applications process untrusted certificates, CMS objects, CRLs, or public keys.
For security teams, this update serves as a reminder that OpenSSL’s exposure extends beyond mere TLS termination. Mail gateways, certificate-processing utilities, CMS/S/MIME services, and custom applications leveraging modern KEM APIs may all require thorough review.
OpenSSL credited Simo Sorce of Red Hat with reporting CVE-2026-31790 on February 23, 2026, and acknowledged Nikola Pajkovsky for developing the fix.
What You Should Do
- Update Immediately: Prioritize upgrading all affected OpenSSL installations to versions 3.0.20, 3.3.7, 3.4.5, 3.5.6, or 3.6.2.
- Implement Public Key Validation: For applications using
EVP_PKEY_encapsulate()with RSA/RSASVE, ensure thatEVP_PKEY_public_check()orEVP_PKEY_public_check_quick()is called to validate all public keys, especially those from untrusted or remote sources, before encapsulation. - Review Custom Applications: Assess any custom applications, mail gateways, or certificate-processing tools that utilize OpenSSL’s KEM APIs or process untrusted cryptographic objects for potential exposure.
- Patch FIPS Modules: Organizations operating in regulated environments using FIPS-validated OpenSSL modules should ensure these are also updated to the patched versions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.