Sensitive Data Leakage in OpenSSL Affected by RSASVE Key Encapsulation
CVE-2026-31790
Key Information:
Badges
What is CVE-2026-31790?
CVE-2026-31790 is a vulnerability affecting OpenSSL, a widely used open-source toolkit for implementing secure communication over computer networks. Specifically, this flaw pertains to the RSASVE key encapsulation mechanism utilized in establishing secret encryption keys. The vulnerability arises when applications fail to initialize their memory buffers, which can result in the inadvertent exposure of sensitive information from previous executions. Attackers exploiting this vulnerability may receive data that was never intended for them, creating significant risk for organizations that rely on OpenSSL to secure their communications. The flaw is further exacerbated by coding errors in how the RSA_public_encrypt() function handles encryption failures, leading to potential leakage of unprotected data via the ciphertext buffer generated during the key encapsulation process.
Potential impact of CVE-2026-31790
-
Sensitive Data Exposure: The most immediate risk is the leakage of sensitive data, which could include private keys, passwords, or other confidential information. If an attacker successfully exploits this vulnerability, they may gain access to critical data that could be used for further attacks or to compromise systems.
-
Increased Attack Surface: Organizations that utilize OpenSSL and its affected versions are at a heightened risk of being targeted by malicious actors. The ease of triggering the vulnerability, especially when using invalid RSA public keys without prior validation, increases the likelihood of exploitation.
-
Regulatory and Compliance Implications: Sensitive data leaks can lead to serious regulatory consequences for organizations, especially those that must adhere to strict data protection standards. Breaches resulting from this vulnerability could trigger fines, legal repercussions, and damage to an organization's reputation, undermining trust among customers and partners.
Affected Version(s)
OpenSSL 3.6.0 < 3.6.2
OpenSSL 3.5.0 < 3.5.6
OpenSSL 3.4.0 < 3.4.5
News Articles
It Security NewsCVE-2026-31790Multiple OpenSSL Flaws Expose Sensitive Data in RSA KEM Handling - IT Security News
A newly disclosed flaw in OpenSSL could allow attackers to access sensitive data stored in application memory. Tracked as CVE-2026-31790, this moderate-severity vulnerability affects the handling of RSA Key Encapsulation Mechanism (KEM) RSASVE encapsulation. OpenSSL issued the security advisory onā¦R...
1 month ago
It Security NewsCVE-2026-31790Multiple OpenSSL Vulnerabilities Exposes Sensitive Data in RSA KEM Handling - IT Security News
OpenSSL has released a broad April 2026 security update that fixes seven vulnerabilities across supported branches, led by CVE-2026-31790, a moderate-severity flaw in RSA KEM RSASVE encapsulation that can expose uninitialized memory to a malicious peer. The advisory directs usersā¦Read more ā
1 month ago
CybersecuritynewsCVE-2026-31790Multiple OpenSSL Vulnerabilities Exposes Sensitive Data in RSA KEM Handling
OpenSSL has released a broad April 2026 security update that fixes seven vulnerabilities across supported branches, led by CVE-2026-31790, a moderate-severity flaw in RSA KEM RSASVE encapsulation that can expose uninitialized memory to a malicious peer.
1 month ago
References
CVSS V3.1
Timeline
- š°
First article discovered by It Security News
Vulnerability published
Vulnerability Reserved