Multiple OpenSSL Flaws Expose Sensitive Data in RSA KEM Handling
A recently uncovered vulnerability in OpenSSL could expose sensitive data stored within application memory to potential attackers.
Identified as CVE-2026-31790, this moderate-severity issue impacts the RSA Key Encapsulation Mechanism (KEM) RSASVE encapsulation process.
OpenSSL released a security advisory on April 7, 2026, strongly advising all users to apply the necessary patches immediately. The core problem stems from inadequate failure handling during the encryption workflow.
When applications utilize RSASVE key encapsulation to generate a secret encryption key, they depend on specific verification functions. Unfortunately, a code flaw causes the system to incorrectly validate the return values of these functions.
How the Exploit Functions
The vulnerability exists within the RSA_public_encrypt() function. This function should return the number of bytes written upon success or a -1 on failure.
However, the affected code only checks if the return value is non-zero. If RSA encryption fails and returns -1, the system incorrectly interprets this as a non-zero success indicator.
This false positive triggers the encapsulation process to proceed. The application sets the output lengths and processes the ciphertext buffer as if a valid key had been generated.
If an attacker provides an invalid RSA public key and the application fails to validate it beforehand, the system will process the error and inadvertently leak the uninitialized contents of the buffer back to the attacker. This stale memory could contain highly sensitive data previously used by the application.
Simo Sorce of Red Hat disclosed the flaw in February 2026, with Nikola Pajkovsky developing the corresponding fix. Older OpenSSL versions, specifically 1.0.2 and 1.1.1, remain unaffected by this specific bug.
Users of impacted versions, including those utilizing the respective FIPS modules, must upgrade to the latest patched releases immediately.
Available security updates include:
- OpenSSL 3.0 users should upgrade to 3.0.20
- OpenSSL 3.3 users should upgrade to 3.3.7
- OpenSSL 3.4 users should upgrade to 3.4.5
- OpenSSL 3.5 users should upgrade to 3.5.6
- OpenSSL 3.6 users should upgrade to 3.6.2
Administrators unable to patch systems immediately can implement a code-level workaround. Application developers should ensure public keys are validated before processing them.
Specifically, calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() prior to executing EVP_PKEY_encapsulate() will effectively mitigate the vulnerability and prevent the memory leak.