OpenSSL 3.6.2 Addresses Multiple Vulnerabilities Including RSA KEM Flaw

Severity: Medium (Score: 57.8)

Sources: Feeds2.Feedburner, Cybersecuritynews

Summary

OpenSSL has released version 3.6.2 on April 8, 2026, which addresses eight vulnerabilities, including CVE-2026-31790, a moderate-severity flaw in RSA KEM RSASVE encapsulation. This vulnerability can expose uninitialized memory to attackers, potentially leading to sensitive data leakage. Other notable fixes include CVE-2026-2673, which corrects a loss of key agreement group structure, and CVE-2026-28386, which resolves an out-of-bounds read issue in AES-CFB-128 on x86-64 CPUs. Users of OpenSSL 3.x are advised to upgrade to the latest version or specific earlier versions to mitigate these risks. The vulnerabilities affect various components of OpenSSL, emphasizing the need for timely updates. The project rates the most severe issue as moderate, indicating a significant but not critical threat level. Current status is that the patch is available and users are encouraged to implement it immediately. Key Points: • OpenSSL 3.6.2 fixes eight vulnerabilities, including CVE-2026-31790. • CVE-2026-31790 can expose uninitialized memory, risking sensitive data. • Users are advised to upgrade to OpenSSL 3.0.20, 3.3.7, 3.4.5, 3.5.6, or 3.6.2.

Key Entities

• Openssl (tool)
• CVE-2026-2673 (cve)
• CVE-2026-28386 (cve)
• CVE-2026-31790 (cve)