CVE-2026-31790
Published: 07 April 2026
Description
Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the…
more
application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in OpenSSL's RSASVE key encapsulation via available patches.
Addresses the core issue of improper error handling in RSA_public_encrypt() by ensuring failures are correctly detected, preventing transmission of uninitialized buffers.
Implements validation of attacker-supplied RSA public keys before EVP_PKEY_encapsulate(), matching the recommended workaround with EVP_PKEY_public_check().
Security SummaryAI
CVE-2026-31790 is a vulnerability in the RSASVE key encapsulation mechanism implemented via EVP_PKEY_encapsulate() in OpenSSL. It affects applications that use RSA/RSASVE without validating attacker-supplied RSA public keys beforehand. Specifically, when RSA_public_encrypt() fails on an invalid key, the code incorrectly treats a non-zero return value (which could be -1 masked as success) as valid, causing the uninitialized contents of the caller-provided ciphertext buffer to be sent to the peer instead of a proper KEM ciphertext. This issue impacts the FIPS modules in OpenSSL versions 3.0, 3.1, 3.3, 3.4, 3.5, and 3.6, with a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions).
A network-adjacent or remote attacker can exploit this by providing an invalid RSA public key during key encapsulation. No authentication or user interaction is required, allowing unauthenticated attackers to trigger the flaw in vulnerable applications. Successful exploitation results in the disclosure of sensitive data potentially lingering in the uninitialized buffer from prior process executions, leading to information leakage without impacting integrity or availability.
OpenSSL advisories recommend validating public keys prior to encapsulation by calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() as a workaround. Patches are available in multiple OpenSSL GitHub commits, including 001e01db3e996e13ffc72386fe79d03a6683b5ac, abd8b2eec7e3f3fda60ecfb68498b246b52af482, b922e24e5b23ffb9cb9e14cadff23d91e9f7e406, d5f8e71cd0a54e961d0c3b174348f8308486f790, and eed200f58cd8645ed77e46b7e9f764e284df379e, which fix the return value handling in RSA_public_encrypt().
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated info-leak in OpenSSL KEM used by network-facing apps directly enables T1190 (public app exploitation) and T1005 (adversary obtains local memory contents).