Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
OpenSSL Update Fixes Critical RSA KEM Flaw

OpenSSL Update Fixes Critical RSA KEM Flaw

Posted on April 8, 2026 By CWS

OpenSSL has rolled out a comprehensive security update in April 2026, addressing seven vulnerabilities across its supported versions. The update prioritizes CVE-2026-31790, a moderate-severity flaw in the RSA KEM RSASVE encapsulation, which poses a risk of exposing uninitialized memory to malicious entities. Users are advised to upgrade to specific versions based on their deployment branch.

Addressing Critical RSA KEM Vulnerability

The flaw, CVE-2026-31790, impacts applications utilizing EVP_PKEY_encapsulate() with RSA/RSASVE, where an attacker can supply an RSA public key without validation. This oversight in return-value checking allows encryption to seem successful despite failure, potentially exposing sensitive data within caller-supplied ciphertext buffers.

OpenSSL has identified the flaw in versions 3.0 through 3.6, excluding 1.0.2 and 1.1.1. The flaw also affects FIPS modules in several versions, making it pertinent to both general and compliant environments. To mitigate this risk, OpenSSL recommends validating public keys using EVP_PKEY_public_check() before encapsulation processes.

Additional Security Flaws and Recommendations

Apart from the RSA KEM issue, six other low-severity flaws were patched. These include an out-of-bounds read in AES-CFB-128 on x86-64 systems with AVX-512 and VAES support, and a use-after-free in specific DANE configurations. While less severe, these vulnerabilities underscore potential attack vectors in cryptographic libraries.

The update acts as a reminder for security teams about the broader OpenSSL exposure, which extends beyond just TLS termination. Tools involved in mail processing, certificate handling, and CMS/S/MIME services should be reviewed to ensure they are not at risk.

Future Outlook and Recommendations

Reported by Simo Sorce of Red Hat in February 2026 and rectified by Nikola Pajkovsky, the vulnerability highlights the importance of regular updates and validation in cryptographic processes. Organizations using affected versions should prioritize applying the patches and enforce explicit public-key validation, especially in environments where user-supplied key material is processed.

Staying vigilant with updates and adopting best practices for key validation can significantly reduce the risk of exploitation. Follow our updates on Google News, LinkedIn, and X for the latest in cybersecurity news and insights.

Cyber Security News Tags:Cryptography, CVE-2026-31790, cyber threat, Cybersecurity, data exposure, data protection, encryption flaw, FIPS modules, OpenSSL, public key validation, RSA KEM, security update, software patch, Software Security, Vulnerability

Post navigation

Previous Post: Indian Bank Alerts on LPG Payment Scams Threatening Accounts
Next Post: Anthropic’s AI Model Uncovers Major Security Flaws

Related Posts

New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts Cyber Security News
Earth Ammit Hackers Attacking Using New Tools to Attack Drones Used in Military Sectors Earth Ammit Hackers Attacking Using New Tools to Attack Drones Used in Military Sectors Cyber Security News
Critical Zero-Day in Cisco Products Exploited in Attacks Critical Zero-Day in Cisco Products Exploited in Attacks Cyber Security News
New Elastic EDR 0-Day Vulnerability Allows Attackers to Bypass Detection, Execute Malware, and Cause BSOD New Elastic EDR 0-Day Vulnerability Allows Attackers to Bypass Detection, Execute Malware, and Cause BSOD Cyber Security News
Ransomware Threats Exploit Employee Monitoring Tools Ransomware Threats Exploit Employee Monitoring Tools Cyber Security News
Halo Security Achieves SOC 2 Type II Compliance, Demonstrating Sustained Security Excellence Over Time Halo Security Achieves SOC 2 Type II Compliance, Demonstrating Sustained Security Excellence Over Time Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark