OpenSSL Patches Seven Vulnerabilities, Including Moderate-Severity Data Leak Flaw
OpenSSL has released updates addressing seven vulnerabilities, one of which CVE-2026-31790 could allow attackers to access sensitive data. Classified as moderate severity, the flaw affects applications using RSASVE key encapsulation by failing to verify encryption success, potentially exposing uninitialized memory buffers containing residual sensitive data from prior processes.
The vulnerability impacts OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0, while 1.0.2 and 1.1.1 remain unaffected. The remaining six flaws are rated low severity, with most enabling denial-of-service (DoS) attacks via application crashes. Two could theoretically permit arbitrary code execution, though one requires an uncommon OpenSSL configuration, and the other involves a 1GB X.509 certificate making exploitation impractical in most cases.
This follows a January update that fixed 12 vulnerabilities, including a high-severity remote code execution (RCE) flaw. Notably, high-severity OpenSSL vulnerabilities have become rare, with only one reported in 2025. The latest patches reinforce OpenSSL’s ongoing efforts to mitigate risks in widely used cryptographic libraries.
Source: https://www.securityweek.com/data-leakage-vulnerability-patched-in-openssl/
OpenSSL Corporation cybersecurity rating report: https://www.rankiteo.com/company/openssl-corporation
"id": "OPE1775666105",
"linkid": "openssl-corporation",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of OpenSSL versions 3.6, '
'3.5, 3.4, 3.3, and 3.0',
'industry': 'Cybersecurity/Cryptography',
'name': 'OpenSSL',
'type': 'Software Library'}],
'data_breach': {'data_encryption': 'Failed verification in RSASVE key '
'encapsulation',
'sensitivity_of_data': 'High (residual sensitive data)',
'type_of_data_compromised': 'Sensitive data from '
'uninitialized memory buffers'},
'description': 'OpenSSL has released updates addressing seven '
'vulnerabilities, one of which (CVE-2026-31790) could allow '
'attackers to access sensitive data. The flaw affects '
'applications using RSASVE key encapsulation by failing to '
'verify encryption success, potentially exposing uninitialized '
'memory buffers containing residual sensitive data from prior '
'processes. The remaining six flaws are rated low severity, '
'with most enabling denial-of-service (DoS) attacks via '
'application crashes.',
'impact': {'data_compromised': 'Sensitive data from uninitialized memory '
'buffers',
'operational_impact': 'Potential application crashes (DoS)',
'systems_affected': 'Applications using OpenSSL versions 3.6, 3.5, '
'3.4, 3.3, and 3.0 with RSASVE key '
'encapsulation'},
'post_incident_analysis': {'corrective_actions': 'Patches released to address '
'the vulnerabilities.',
'root_causes': 'Failure to verify encryption '
'success in RSASVE key '
'encapsulation, leading to exposure '
'of uninitialized memory buffers.'},
'recommendations': 'Update to the latest patched versions of OpenSSL to '
'mitigate vulnerabilities.',
'references': [{'source': 'OpenSSL Security Advisory'}],
'response': {'containment_measures': 'Patches released for affected versions',
'remediation_measures': 'Update to patched OpenSSL versions'},
'title': 'OpenSSL Patches Seven Vulnerabilities, Including Moderate-Severity '
'Data Leak Flaw',
'type': ['Data Leak',
'Denial-of-Service (DoS)',
'Potential Arbitrary Code Execution'],
'vulnerability_exploited': ['CVE-2026-31790', 'Six low-severity flaws']}