CVE-2026-31790
Description
Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer.
Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker.
RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced.
If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext.
As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue.
The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
50- osv-coords49 versionspkg:apk/chainguard/libcrypto3pkg:apk/chainguard/libcrypto3-2.34pkg:apk/chainguard/opensslpkg:apk/wolfi/libcrypto3pkg:apk/wolfi/opensslpkg:rpm/almalinux/opensslpkg:rpm/almalinux/openssl-develpkg:rpm/almalinux/openssl-libspkg:rpm/almalinux/openssl-perlpkg:rpm/opensuse/openssl-1_0_0&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/openssl-3&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/openssl-3&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/openssl-3&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP7pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Micro%206.2
< 3.6.2-r0+ 48 more
- (no CPE)range: < 3.6.2-r0
- (no CPE)range: < 3.6.2-r0
- (no CPE)range: < 3.6.2-r0
- (no CPE)range: < 3.6.2-r0
- (no CPE)range: < 3.6.2-r0
- (no CPE)range: < 1:3.5.5-2.el10_2.alma.1
- (no CPE)range: < 1:3.5.5-2.el10_2.alma.1
- (no CPE)range: < 1:3.5.5-2.el10_2.alma.1
- (no CPE)range: < 1:3.5.5-2.el10_2.alma.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 3.1.4-150600.5.45.1
- (no CPE)range: < 3.5.0-160000.7.1
- (no CPE)range: < 3.5.3-4.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-3.106.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-150000.3.105.1
- (no CPE)range: < 1.0.2p-3.106.1
- (no CPE)range: < 1.1.1l-150400.7.90.1
- (no CPE)range: < 1.1.1l-150400.7.90.1
- (no CPE)range: < 1.1.1d-150200.11.109.1
- (no CPE)range: < 1.1.1l-150400.7.90.1
- (no CPE)range: < 1.1.1l-150400.7.90.1
- (no CPE)range: < 1.1.1l-150400.7.90.1
- (no CPE)range: < 1.1.1l-150400.7.90.1
- (no CPE)range: < 3.0.8-150400.4.81.1
- (no CPE)range: < 3.0.8-150400.4.81.1
- (no CPE)range: < 3.0.8-150500.5.60.1
- (no CPE)range: < 3.0.8-150500.5.60.1
- (no CPE)range: < 3.0.8-150400.4.81.1
- (no CPE)range: < 3.0.8-150400.4.81.1
- (no CPE)range: < 3.2.3-150700.5.31.1
- (no CPE)range: < 3.0.8-150400.4.81.1
- (no CPE)range: < 3.0.8-150500.5.60.1
- (no CPE)range: < 3.1.4-150600.5.45.1
- (no CPE)range: < 3.5.0-160000.7.1
- (no CPE)range: < 3.0.8-150400.4.81.1
- (no CPE)range: < 3.0.8-150500.5.60.1
- (no CPE)range: < 3.1.4-150600.5.45.1
- (no CPE)range: < 3.5.0-160000.7.1
- (no CPE)range: < 3.1.4-12.1
- (no CPE)range: < 3.1.4-slfo.1.1_9.1
- (no CPE)range: < 3.5.0-160000.7.1
Patches
Vulnerability mechanics
References
7- github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5acnvdPatch
- github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482nvdPatch
- github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406nvdPatch
- github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790nvdPatch
- github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379envdPatch
- openssl-library.org/news/secadv/20260407.txtnvdVendor Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories