CVE-2026-31790Improper Check for Unusual or Exceptional Conditions in Openssl

CWE-754Improper Check for Unusual or Exceptional ConditionsCWE-824Access of Uninitialized Pointer20 documents10 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 93.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
OpensslDebian OpensslMsrc Azl3 Openssl 3.3.5-4 ON Azure Linux 3.0
Timeline
PublishedApr 7
Latest updateApr 13

Description

Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

debiandebian/openssl< openssl 3.0.19-1~deb12u2 (bookworm)
CVEListV5openssl/openssl3.6.03.6.2+4
Alpineopenssl/openssl< 3.5.6-r0+1
Debianopenssl/openssl< 3.0.19-1~deb12u2+1

🔴Vulnerability Details

4
GHSA
GHSA-vgxx-5xj5-q97x: Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to2026-04-08
OSV
CVE-2026-31790: Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to2026-04-07
OSV
CVE-2026-31790: Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to2026-04-07
OSV
CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation2026-04-07

📋Vendor Advisories

5
Ubuntu
OpenSSL vulnerabilities2026-04-09
Ubuntu
OpenSSL vulnerabilities2026-04-08
Red Hat
openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key2026-04-07
Microsoft
Incorrect Failure Handling in RSA KEM RSASVE Encapsulation2026-04-02
Debian
CVE-2026-31790: openssl - Issue summary: Applications using RSASVE key encapsulation to establish a secret...2026

🕵️Threat Intelligence

9
Hackernews
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More2026-04-13
Wiz
CVE-2026-28388 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28386 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28387 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28389 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-31790 openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key2026-03-25
CVE-2026-31790 — Openssl vulnerability | cvebase