OpenSSL has rolled out a comprehensive security update in April 2026, addressing seven vulnerabilities across its supported versions. The update prioritizes CVE-2026-31790, a moderate-severity flaw in the RSA KEM RSASVE encapsulation, which poses a risk of exposing uninitialized memory to malicious entities. Users are advised to upgrade to specific versions based on their deployment branch.
Addressing Critical RSA KEM Vulnerability
The flaw, CVE-2026-31790, impacts applications utilizing EVP_PKEY_encapsulate() with RSA/RSASVE, where an attacker can supply an RSA public key without validation. This oversight in return-value checking allows encryption to seem successful despite failure, potentially exposing sensitive data within caller-supplied ciphertext buffers.
OpenSSL has identified the flaw in versions 3.0 through 3.6, excluding 1.0.2 and 1.1.1. The flaw also affects FIPS modules in several versions, making it pertinent to both general and compliant environments. To mitigate this risk, OpenSSL recommends validating public keys using EVP_PKEY_public_check() before encapsulation processes.
Additional Security Flaws and Recommendations
Apart from the RSA KEM issue, six other low-severity flaws were patched. These include an out-of-bounds read in AES-CFB-128 on x86-64 systems with AVX-512 and VAES support, and a use-after-free in specific DANE configurations. While less severe, these vulnerabilities underscore potential attack vectors in cryptographic libraries.
The update acts as a reminder for security teams about the broader OpenSSL exposure, which extends beyond just TLS termination. Tools involved in mail processing, certificate handling, and CMS/S/MIME services should be reviewed to ensure they are not at risk.
Future Outlook and Recommendations
Reported by Simo Sorce of Red Hat in February 2026 and rectified by Nikola Pajkovsky, the vulnerability highlights the importance of regular updates and validation in cryptographic processes. Organizations using affected versions should prioritize applying the patches and enforce explicit public-key validation, especially in environments where user-supplied key material is processed.
Staying vigilant with updates and adopting best practices for key validation can significantly reduce the risk of exploitation. Follow our updates on Google News, LinkedIn, and X for the latest in cybersecurity news and insights.
