OpenSSL Patches Seven Vulnerabilities Including a Data Leakage Flaw in RSASVE Key Encapsulation
Introduction
The OpenSSL project has released updates addressing seven vulnerabilities, the most notable being a moderate-severity data leakage flaw tracked as CVE-2026-31790. The bug affects applications that rely on RSASVE key encapsulation and can expose sensitive data from uninitialized memory to an attacker.
What Happened
The core issue lies in how OpenSSL handles RSASVE key encapsulation operations. Under certain failure conditions, the library does not properly verify that encryption succeeded but still returns a success status to the calling application. When this happens, the application may read from an uninitialized memory buffer that could contain leftover sensitive data from previous operations — such as cryptographic keys, session data, or other secrets. The flaw affects OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0. Older branches (1.0.2 and 1.1.1) are not impacted. Alongside CVE-2026-31790, six additional low-severity vulnerabilities were patched, most of which can trigger denial-of-service conditions through application crashes. Two of those could theoretically lead to code execution, but only under uncommon configurations.
Why It Matters
OpenSSL is the cryptographic backbone of the internet. It secures web servers, VPNs, email systems, databases, and countless internal services. A data leakage flaw — even a moderate one — matters because it can expose cryptographic material that undermines the security of encrypted communications. While exploitation requires specific conditions (the application must use RSASVE), the widespread use of OpenSSL means the total number of potentially affected systems is significant. The last major OpenSSL vulnerability wave led to widespread emergency patching campaigns, and organizations that fell behind paid the price.
Who Is Affected
- Any application or service linked against OpenSSL 3.0 through 3.6
- Linux distributions shipping affected OpenSSL versions (Ubuntu, Debian, RHEL, Fedora, Alpine)
- Web servers (nginx, Apache with mod_ssl), VPN gateways, mail servers, and database services using TLS
- Container images built on base images with vulnerable OpenSSL versions
How to Protect Yourself
1. Check your current OpenSSL version
openssl version
# Affected: 3.0.x through 3.6.x
# Not affected: 1.0.2, 1.1.1
2. Update OpenSSL through your package manager
# Debian/Ubuntu
sudo apt update && sudo apt upgrade openssl libssl3
# RHEL/Fedora
sudo dnf update openssl
# Alpine
apk update && apk upgrade openssl
3. Identify all services linked against OpenSSL
# Find running processes using libssl
lsof | grep libssl | awk '{print $1}' | sort -u
Restart each affected service after updating the library.
4. Rebuild container images with updated base layers
If your containers use Debian, Ubuntu, or Alpine base images, rebuild and redeploy them to pick up the patched OpenSSL.
docker pull ubuntu:latest
docker build --no-cache -t myapp:patched .
5. Monitor the OpenSSL security advisory page
Bookmark https://openssl-library.org/news/secadv/ and subscribe to the openssl-announce mailing list for future disclosures.
Source
Data Leakage Vulnerability Patched in OpenSSL — SecurityWeek