Data Leakage Vulnerability Patched in OpenSSL

Summary

OpenSSL released patches for seven vulnerabilities, including CVE-2026-31790, a moderate-severity flaw affecting versions 3.0–3.6 that can leak sensitive data from uninitialized memory buffers when RSASVE key encapsulation fails to verify encryption success. The remaining six flaws are rated low severity, with most causing DoS conditions; two could theoretically lead to remote code execution under uncommon configurations. High-severity vulnerabilities in OpenSSL have become rare, with only one found in 2025.

Full text

Seven vulnerabilities have been patched with the latest OpenSSL updates, including a flaw that can allow an attacker to obtain sensitive data. The data leakage issue, tracked as CVE-2026-31790 and rated ‘moderate severity’, affects applications that use RSASVE key encapsulation to establish a secret encryption key. The problem is that OpenSSL sometimes fails to properly verify that the encryption succeeded, yet may still return a ‘success’ message, exposing data from an uninitialized memory buffer to the attacker. “The uninitialized buffer might contain sensitive data from the previous execution of the application process, which leads to sensitive data leakage to an attacker,” OpenSSL developers explained in an advisory. The security hole affects versions 3.6, 3.5, 3.4, 3.3, and 3.0. OpenSSL 1.0.2 and 1.1.1 are not impacted. The remaining vulnerabilities have all been classified as ‘low severity’. A majority can be exploited to crash the application and cause a DoS condition. Advertisement. Scroll to continue reading. Two of the flaws could in theory lead to arbitrary code execution, but one affects an uncommon configuration of OpenSSL, and one involves sending a specially crafted 1GB X.509 certificate. Updates released by OpenSSL developers in January addressed a dozen vulnerabilities, including a high-severity flaw that could be exploited for remote code execution. High-severity vulnerabilities are now rare in OpenSSL. Only one such vulnerability was found in 2025. Related: High-Severity OpenSSL Vulnerability Found by Apple Allows MitM Attacks Related: RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years Related: OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks Related: Critical Flowise Vulnerability in Attacker Crosshairs Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Severe StrongBox Vulnerability Patched in AndroidGPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack White House Seeks to Slash CISA Funding by $707 MillionWynn Resorts Says 21,000 Employees Affected by ShinyHunters HackT-Mobile Sets the Record Straight on Latest Data Breach FilingApple Rolls Out DarkSword Exploit Protection to More DevicesCybersecurity M&A Roundup: 38 Deals Announced in March 2026Toy Giant Hasbro Hit by Cyberattack Latest News RCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverUS Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingIran-Linked Hackers Disrupt US Critical Infrastructure via PLC AttacksAnthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MovePamela McLeod has been named as CISO of the state of New Hampshire.Aspen Digital has named Matt Altomare as its new Senior Director for Cybersecurity Programs.Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-31790

Entities