OpenSSL’s latest updates patch seven vulnerabilities, including CVE-2026-31790 — a moderate-severity RSASVE key-encapsulation flaw that can leak sensitive data from uninitialized memory when encryption verification erroneously reports success. The other fixes are mostly low-severity issues that can cause crashes or DoS, while two theoretical flaws could enable code execution in uncommon configurations or with a specially crafted 1GB X.509 certificate; affected releases include 3.0 through 3.6 (1.0.2 and 1.1.1 are not impacted) #CVE-2026-31790 #OpenSSL
Keypoints
- Seven vulnerabilities were patched in the latest OpenSSL updates, including CVE-2026-31790.
- CVE-2026-31790 can expose sensitive data when RSASVE verification incorrectly reports success, leaking uninitialized memory.
- The security issues affect OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6; versions 1.0.2 and 1.1.1 are not impacted.
- Most of the remaining flaws are low severity and can cause application crashes or denial-of-service.
- Two flaws could theoretically allow remote code execution: one requires an uncommon configuration, and one involves a specially crafted 1GB X.509 certificate.
Read More: https://www.securityweek.com/data-leakage-vulnerability-patched-in-openssl/