OpenSSL fixes RSA KEM flaw that can leak sensitive memory data
4 min. read 
Published on
OpenSSL has released its April 2026 security update, fixing seven vulnerabilities across supported 3.x branches. The most important one is CVE-2026-31790, a moderate-severity flaw in RSA KEM RSASVE encapsulation that can let an application send uninitialized memory back to a malicious peer.
The bug affects OpenSSL 3.0 through 3.6, with fixes shipping in versions 3.0.20, 3.3.7, 3.4.5, 3.5.6, and 3.6.2. OpenSSL’s release timeline shows all of those patched builds went live on April 7, 2026, alongside the security advisory.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
In plain terms, the flaw can expose leftover data from process memory when an application uses EVP_PKEY_encapsulate() with RSA/RSASVE and accepts an attacker-controlled RSA public key without validating it first. OpenSSL says the issue can leak sensitive data from a previous execution of the application process.
Why CVE-2026-31790 matters
According to OpenSSL, the problem comes from incorrect failure handling. RSA_public_encrypt() returns -1 on error, but the affected code checked only whether the value was non-zero, so a failure could still look like a success to the caller.
That means encapsulation can return success, set output lengths, and leave the caller using whatever bytes already sit in the ciphertext buffer. If the application then sends that buffer to a remote peer, it may expose stale memory instead of valid KEM output.
This is not a broad internet-wide OpenSSL break. Exploitation depends on a specific setup where the application uses RSA-based encapsulation, accepts an attacker-supplied public key, and fails to validate that key before use. OpenSSL recommends calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() first.
Affected versions
| OpenSSL branch | Vulnerable versions | Fixed version |
|---|---|---|
| 3.6 | 3.6.0 before 3.6.2 | 3.6.2 |
| 3.5 | 3.5.0 before 3.5.6 | 3.5.6 |
| 3.4 | 3.4.0 before 3.4.5 | 3.4.5 |
| 3.3 | 3.3.0 before 3.3.7 | 3.3.7 |
| 3.0 | 3.0.0 before 3.0.20 | 3.0.20 |
Source: OpenSSL vulnerability advisory and vulnerability database.
Other OpenSSL bugs fixed in the same update
OpenSSL also fixed six low-severity issues in the same release cycle. These include CVE-2026-28386, an out-of-bounds read on x86-64 systems with AVX-512 and VAES support, plus CVE-2026-28387, a potential use-after-free in DANE client code.
The update also addresses CVE-2026-28388, a NULL pointer dereference when processing a delta CRL, and two CMS-related NULL dereference bugs tracked as CVE-2026-28389 and CVE-2026-28390. OpenSSL says applications that process attacker-controlled CMS data may crash before authentication or crypto operations occur.
Another fix, CVE-2026-31789, covers a heap buffer overflow in hexadecimal conversion on 32-bit platforms. OpenSSL says this one mainly affects applications that print or log untrusted X.509 certificates, and only under fairly unusual conditions involving very large certificate data.
Patched CVEs in April 2026
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation
- CVE-2026-28386: Out-of-bounds read in AES-CFB-128 on some x86-64 systems
- CVE-2026-28387: Potential use-after-free in DANE client code
- CVE-2026-28388: NULL pointer dereference when processing a delta CRL
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo
- CVE-2026-28390: Possible NULL dereference when processing CMS KeyTransportRecipientInfo
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion
Who needs to patch first
Teams should prioritize this update if they run custom applications that use modern OpenSSL KEM APIs, especially where remote or user-supplied public keys can reach the encapsulation path. The risk also matters for products that do more than TLS termination, including certificate-processing tools, CMS or S/MIME services, and internal crypto utilities.
One important detail in the official advisory is that OpenSSL’s FIPS modules in versions 3.6, 3.5, 3.4, 3.3, 3.1, and 3.0 are affected by CVE-2026-31790. That makes the bug relevant for regulated environments too, not just general-purpose deployments.
OpenSSL credits Simo Sorce of Red Hat with reporting CVE-2026-31790 and says Nikola Pajkovsky developed the fix. The project classifies the issue as moderate rather than high or critical, but the memory disclosure angle makes it worth fast attention in exposed workflows.
What admins and developers should do
- Upgrade to the patched OpenSSL release for your branch
- Review any use of
EVP_PKEY_encapsulate()with RSA/RSASVE - Validate imported or attacker-controlled public keys before encapsulation
- Check whether caller-supplied ciphertext buffers exist in your implementation
- Test certificate, CMS, DANE, and CRL processing paths if your apps accept untrusted input
- Confirm whether FIPS-boundary deployments use affected OpenSSL 3.x branches
FAQ
It is CVE-2026-31790, a moderate-severity RSA KEM RSASVE flaw that can leak uninitialized memory data to a malicious peer.
OpenSSL says users should move to 3.0.20, 3.3.7, 3.4.5, 3.5.6, or 3.6.2, depending on the branch they use.
The official affected-version list for CVE-2026-31790 covers OpenSSL 3.0 through 3.6. It does not list 1.0.2 or 1.1.1 as affected for this specific issue.
OpenSSL recommends validating the public key before calling EVP_PKEY_encapsulate(), using EVP_PKEY_public_check() or EVP_PKEY_public_check_quick().
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages