Description
Issue summary: Applications using RSASVE key encapsulation to establish
a secret encryption key can send contents of an uninitialized memory buffer to
a malicious peer.

Impact summary: The uninitialized buffer might contain sensitive data from the
previous execution of the application process which leads to sensitive data
leakage to an attacker.

RSA_public_encrypt() returns the number of bytes written on success and -1
on error. The affected code tests only whether the return value is non-zero.
As a result, if RSA encryption fails, encapsulation can still return success to
the caller, set the output lengths, and leave the caller to use the contents of
the ciphertext buffer as if a valid KEM ciphertext had been produced.

If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an
attacker-supplied invalid RSA public key without first validating that key,
then this may cause stale or uninitialized contents of the caller-provided
ciphertext buffer to be disclosed to the attacker in place of the KEM
ciphertext.

As a workaround calling EVP_PKEY_public_check() or
EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate
the issue.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data leakage via uninitialized buffer
Action: Immediate Patch
AI Analysis

Impact

Applications using RSA/RSASVE key encapsulation can mistakenly treat a failure of RSA_public_encrypt as a success because the code only checks for a non‑zero return value. When encryption fails, the function still returns a length and the caller believes a valid KEM ciphertext was produced, causing stale or uninitialized ciphertext data to be sent to a peer. The contents of that buffer may contain previously used memory and can reveal secrets or other sensitive information. This flaw is a case of improper failure handling (CWE‑754) and insecure data exposure (CWE‑824).

Affected Systems

The OpenSSL library and all FIPS modules in versions 3.0 through 3.6 are affected. Any application that links against these releases and performs RSA/RSASVE encapsulation without validating the RSA public key may be vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates medium‑to‑high severity and the EPSS score of less than 1% suggests a low current exploitation probability; it is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can trigger the failure path by submitting an invalid RSA public key to the vulnerable application. If the application exposes a network or interprocess interface that accepts such keys, the attack may be remote; otherwise, local or privileged access might be required. The exploitation results in memory contents leaking from the victim’s address space, potentially revealing private keys, configuration data, or other sensitive items, but the risk level depends heavily on how the application validates keys and handles errors.

Generated by OpenCVE AI on April 8, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenSSL patch that resolves CVE‑2026‑31790
  • If patching is not possible, validate RSA keys before encapsulation by calling EVP_PKEY_public_check or EVP_PKEY_public_check_quick

Generated by OpenCVE AI on April 8, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6201-1 openssl security update
Ubuntu USN Ubuntu USN USN-8155-1 OpenSSL vulnerabilities
History

Tue, 12 May 2026 13:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Tue, 07 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.
Title Incorrect Failure Handling in RSA KEM RSASVE Encapsulation
Weaknesses CWE-754
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-05-12T12:09:06.208Z

Reserved: 2026-03-09T15:56:53.191Z

Link: CVE-2026-31790

cve-icon Vulnrichment

Updated: 2026-04-08T14:18:22.785Z

cve-icon NVD

Status : Modified

Published: 2026-04-07T22:16:21.770

Modified: 2026-05-12T13:17:34.750

Link: CVE-2026-31790

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-31790 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:15Z

Weaknesses