"The uninitialized buffer might contain sensitive data from the previous execution of the application process, which leads to sensitive data leakage to an attacker, OpenSSL developers explained in an advisory."
"The problem is that OpenSSL sometimes fails to properly verify that the encryption succeeded, yet may still return a 'success' message, exposing data from an uninitialized memory buffer to the attacker."
"The remaining vulnerabilities have all been classified as 'low severity'. A majority can be exploited to crash the application and cause a DoS condition."
"High-severity vulnerabilities are now rare in OpenSSL. Only one such vulnerability was found in 2025."
The latest OpenSSL updates address seven vulnerabilities, including CVE-2026-31790, which allows attackers to obtain sensitive data due to improper verification of encryption success. This flaw affects applications using RSASVE key encapsulation and can expose data from an uninitialized memory buffer. Versions 3.6, 3.5, 3.4, 3.3, and 3.0 are impacted, while OpenSSL 1.0.2 and 1.1.1 are not. Other vulnerabilities are classified as low severity, with potential for application crashes and DoS conditions. High-severity vulnerabilities have become rare in OpenSSL, with only one found in 2025.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]