Seven vulnerabilities have been patched with the latest OpenSSL updates, including a flaw that can allow an attacker to obtain sensitive data.
The data leakage issue, tracked as CVE-2026-31790 and rated ‘moderate severity’, affects applications that use RSASVE key encapsulation to establish a secret encryption key.
The problem is that OpenSSL sometimes fails to properly verify that the encryption succeeded, yet may still return a ‘success’ message, exposing data from an uninitialized memory buffer to the attacker.
“The uninitialized buffer might contain sensitive data from the previous execution of the application process, which leads to sensitive data leakage to an attacker,” OpenSSL developers explained in an advisory.
The security hole affects versions 3.6, 3.5, 3.4, 3.3, and 3.0. OpenSSL 1.0.2 and 1.1.1 are not impacted.
The remaining vulnerabilities have all been classified as ‘low severity’. A majority can be exploited to crash the application and cause a DoS condition.
Two of the flaws could in theory lead to arbitrary code execution, but one affects an uncommon configuration of OpenSSL, and one involves sending a specially crafted 1GB X.509 certificate.
Updates released by OpenSSL developers in January addressed a dozen vulnerabilities, including a high-severity flaw that could be exploited for remote code execution.
High-severity vulnerabilities are now rare in OpenSSL. Only one such vulnerability was found in 2025.
Related: High-Severity OpenSSL Vulnerability Found by Apple Allows MitM Attacks
Related: RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years
Related: OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks
Related: Critical Flowise Vulnerability in Attacker Crosshairs
