{"api_version":"1","generated_at":"2026-04-23T01:19:47+00:00","cve":"CVE-2026-31790","urls":{"html":"https://cve.report/CVE-2026-31790","api":"https://cve.report/api/cve/CVE-2026-31790.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31790","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31790"},"summary":{"title":"Incorrect Failure Handling in RSA KEM RSASVE Encapsulation","description":"Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.","state":"PUBLISHED","assigner":"openssl","published_at":"2026-04-07 22:16:21","updated_at":"2026-04-08 21:27:00"},"problem_types":["CWE-754","CWE-754 CWE-754 Improper Check for Unusual or Exceptional Conditions"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e","name":"https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://openssl-library.org/news/secadv/20260407.txt","name":"https://openssl-library.org/news/secadv/20260407.txt","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac","name":"https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406","name":"https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790","name":"https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482","name":"https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31790","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31790","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.6.0 3.6.2 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.5.0 3.5.6 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.4.0 3.4.5 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.3.0 3.3.7 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.0.0 3.0.20 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Simo Sorce (Red Hat)","lang":"en"},{"source":"CNA","value":"Nikola Pajkovsky","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31790","cve":"CVE-2026-31790","epss":"0.000240000","percentile":"0.062830000","score_date":"2026-04-14","updated_at":"2026-04-15 00:18:08"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-31790","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-08T14:32:04.700201Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-08T14:32:37.439Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"OpenSSL","vendor":"OpenSSL","versions":[{"lessThan":"3.6.2","status":"affected","version":"3.6.0","versionType":"semver"},{"lessThan":"3.5.6","status":"affected","version":"3.5.0","versionType":"semver"},{"lessThan":"3.4.5","status":"affected","version":"3.4.0","versionType":"semver"},{"lessThan":"3.3.7","status":"affected","version":"3.3.0","versionType":"semver"},{"lessThan":"3.0.20","status":"affected","version":"3.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"Simo Sorce (Red Hat)"},{"lang":"en","type":"remediation developer","value":"Nikola Pajkovsky"}],"datePublic":"2026-04-07T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Issue summary: Applications using RSASVE key encapsulation to establish<br>a secret encryption key can send contents of an uninitialized memory buffer to<br>a malicious peer.<br><br>Impact summary: The uninitialized buffer might contain sensitive data from the<br>previous execution of the application process which leads to sensitive data<br>leakage to an attacker.<br><br>RSA_public_encrypt() returns the number of bytes written on success and -1<br>on error. The affected code tests only whether the return value is non-zero.<br>As a result, if RSA encryption fails, encapsulation can still return success to<br>the caller, set the output lengths, and leave the caller to use the contents of<br>the ciphertext buffer as if a valid KEM ciphertext had been produced.<br><br>If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an<br>attacker-supplied invalid RSA public key without first validating that key,<br>then this may cause stale or uninitialized contents of the caller-provided<br>ciphertext buffer to be disclosed to the attacker in place of the KEM<br>ciphertext.<br><br>As a workaround calling EVP_PKEY_public_check() or<br>EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate<br>the issue.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue."}],"value":"Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue."}],"metrics":[{"format":"other","other":{"content":{"text":"Moderate"},"type":"https://openssl-library.org/policies/general/security-policy/"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-754","description":"CWE-754 Improper Check for Unusual or Exceptional Conditions","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-07T22:00:56.698Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"name":"OpenSSL Advisory","tags":["vendor-advisory"],"url":"https://openssl-library.org/news/secadv/20260407.txt"},{"name":"3.6.2 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482"},{"name":"3.5.6 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac"},{"name":"3.4.5 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790"},{"name":"3.3.7 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406"},{"name":"3.0.20 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e"}],"source":{"discovery":"UNKNOWN"},"title":"Incorrect Failure Handling in RSA KEM RSASVE Encapsulation","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2026-31790","datePublished":"2026-04-07T22:00:56.698Z","dateReserved":"2026-03-09T15:56:53.191Z","dateUpdated":"2026-04-08T14:32:37.439Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-07 22:16:21","lastModifiedDate":"2026-04-08 21:27:00","problem_types":["CWE-754","CWE-754 CWE-754 Improper Check for Unusual or Exceptional Conditions"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31790","Ordinal":"1","Title":"Incorrect Failure Handling in RSA KEM RSASVE Encapsulation","CVE":"CVE-2026-31790","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31790","Ordinal":"1","NoteData":"Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.","Type":"Description","Title":"Incorrect Failure Handling in RSA KEM RSASVE Encapsulation"}]}}}