OpenSSL’s April 2026 Update Addresses Critical Vulnerabilities in RSA KEM Handling
In April 2026, OpenSSL released a comprehensive security update to address seven vulnerabilities across its supported branches. The most significant of these, identified as CVE-2026-31790, is a moderate-severity flaw in the RSA Key Encapsulation Mechanism (KEM) RSASVE encapsulation process. This vulnerability could potentially expose uninitialized memory to malicious entities, posing a risk of sensitive data leakage.
Understanding CVE-2026-31790
CVE-2026-31790 specifically affects applications utilizing the `EVP_PKEY_encapsulate()` function with RSA/RSASVE to derive shared secrets from attacker-supplied RSA public keys without proper validation. The root cause is an incorrect return-value check within the `RSA_public_encrypt()` function. This function returns `-1` upon failure; however, the affected code only verifies if the return value is non-zero. Consequently, encapsulation may appear successful even when encryption has failed.
This logic error can lead to scenarios where, if the RSA operation fails, the API sets output lengths and returns control as if a valid KEM ciphertext was generated. This process may leave stale or uninitialized bytes in the ciphertext buffer, which could then be transmitted back to the peer. Such bytes might contain sensitive data from previous executions of the application process, thereby creating a data leakage condition.
Affected Versions and Immediate Mitigation
The vulnerability impacts OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6. Notably, OpenSSL versions 1.0.2 and 1.1.1 are unaffected. Additionally, FIPS modules in versions 3.6, 3.5, 3.4, 3.3, 3.1, and 3.0 are also impacted, making this issue pertinent to both general-purpose deployments and regulated environments relying on validated cryptographic boundaries.
To mitigate this vulnerability, OpenSSL recommends invoking `EVP_PKEY_public_check()` or `EVP_PKEY_public_check_quick()` before calling `EVP_PKEY_encapsulate()`. This precaution is crucial because exploitation depends on the application accepting an invalid attacker-controlled RSA public key. Therefore, environments that already validate imported public keys are better protected than those that treat key material as implicitly trusted.
Additional Vulnerabilities Addressed
Alongside CVE-2026-31790, OpenSSL’s update addresses six low-severity vulnerabilities:
1. CVE-2026-28386: An out-of-bounds read in AES-CFB-128 on x86-64 systems with AVX-512 and VAES support.
2. CVE-2026-28387: A use-after-free issue in uncommon DANE client configurations.
3. CVE-2026-28388: A delta CRL NULL dereference.
4. CVE-2026-28389 and CVE-2026-28390: NULL dereference issues in KeyAgreeRecipientInfo and KeyTransportRecipientInfo handling within CMS.
5. CVE-2026-31789: A heap buffer overflow during oversized OCTET STRING hexadecimal conversion on 32-bit platforms.
While these issues primarily lead to denial-of-service conditions, they underscore the recurring risks in cryptographic libraries, particularly concerning edge-case parsing and error-handling paths when processing untrusted certificates, CMS objects, CRLs, or public keys.
Recommendations for Security Teams
This update serves as a reminder that OpenSSL exposure extends beyond TLS termination. Mail gateways, certificate-processing tools, CMS/S/MIME services, and custom applications utilizing modern KEM APIs may all require review. Organizations using affected builds should prioritize patching and implement explicit public-key validation in workflows involving RSA-based encapsulation, especially where remote or user-supplied key material can access the API surface.
Conclusion
OpenSSL’s April 2026 security update addresses critical vulnerabilities that could potentially expose sensitive data through uninitialized memory in RSA KEM handling. Organizations are urged to apply the recommended patches promptly and review their cryptographic implementations to ensure robust validation processes are in place, thereby safeguarding against potential exploits.
