CVE-2026-31790 Overview
CVE-2026-31790 is a high-severity information disclosure vulnerability in OpenSSL affecting applications using RSASVE key encapsulation to establish secret encryption keys. The vulnerability allows attackers to receive contents of uninitialized memory buffers, potentially exposing sensitive data from previous execution of the application process.
The flaw stems from improper error handling in the RSA_public_encrypt() function. When RSA encryption fails, the encapsulation operation can still return success to the caller, set output lengths, and leave the caller to use stale or uninitialized contents of the ciphertext buffer as if a valid KEM ciphertext had been produced.
Critical Impact
Applications using EVP_PKEY_encapsulate() with RSA/RSASVE on attacker-supplied invalid RSA public keys may inadvertently disclose sensitive data from uninitialized memory buffers to malicious peers.
Affected Products
- OpenSSL FIPS Module 3.6
- OpenSSL FIPS Module 3.5
- OpenSSL FIPS Module 3.4
- OpenSSL FIPS Module 3.3
- OpenSSL FIPS Module 3.1
- OpenSSL FIPS Module 3.0
Discovery Timeline
- 2026-04-07 - CVE-2026-31790 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-31790
Vulnerability Analysis
This vulnerability represents a classic case of improper check for exceptional conditions (CWE-754). The core issue lies in how the OpenSSL library handles return values from the RSA_public_encrypt() function during RSASVE key encapsulation operations.
The RSA_public_encrypt() function returns the number of bytes written on success and -1 on error. However, the affected code only tests whether the return value is non-zero, failing to distinguish between a successful encryption (positive value) and an error condition (negative value of -1). This improper validation creates a scenario where encryption failures are silently treated as successes.
When applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, the function may return success even when the underlying RSA encryption has failed. The caller then proceeds to use whatever data happens to be in the ciphertext buffer—which may contain sensitive information from previous operations within the same process memory space.
Root Cause
The root cause is improper validation of the return value from RSA_public_encrypt(). The affected code uses a non-zero check (!= 0) instead of properly checking for positive return values indicating success. Since -1 (the error indicator) is also non-zero, error conditions pass the validation check and are incorrectly treated as successful operations.
This error handling deficiency means that when RSA encryption fails due to an invalid public key supplied by an attacker, the encapsulation function:
- Returns success status to the calling application
- Sets the output length parameters
- Leaves the ciphertext buffer containing uninitialized or stale data
Attack Vector
The attack requires an adversary to supply a malicious, invalid RSA public key to an application that performs RSASVE key encapsulation without first validating the key. The attack flow proceeds as follows:
- Attacker provides a specially crafted invalid RSA public key to the target application
- Application calls EVP_PKEY_encapsulate() with the malicious key
- Internal RSA_public_encrypt() call fails and returns -1
- Improper error checking causes encapsulation to report success
- Uninitialized or stale memory contents in the ciphertext buffer are returned to the attacker
- Attacker receives sensitive data that may have been present in the buffer from previous operations
This is a network-accessible vulnerability that requires no privileges or user interaction to exploit, making it particularly concerning for server applications that accept external cryptographic keys.
Detection Methods for CVE-2026-31790
Indicators of Compromise
- Unusual patterns of failed RSA operations followed by successful KEM encapsulation responses
- Presence of malformed or invalid RSA public keys in application inputs
- Memory analysis revealing sensitive data in cryptographic output buffers
- Anomalous network traffic containing unexpected data patterns in KEM ciphertext responses
Detection Strategies
- Implement application logging for all EVP_PKEY_encapsulate() operations and monitor for discrepancies between internal errors and external responses
- Deploy network intrusion detection signatures to identify patterns of invalid RSA key submissions
- Use memory debugging tools such as Valgrind or AddressSanitizer during development to detect uninitialized memory usage
- Monitor for applications using affected OpenSSL FIPS module versions (3.0, 3.1, 3.3, 3.4, 3.5, 3.6)
Monitoring Recommendations
- Review application logs for cryptographic operation failures that may indicate exploitation attempts
- Implement key validation logging before encapsulation operations
- Monitor system memory for signs of information disclosure through cryptographic channels
- Track OpenSSL library versions across deployed systems and flag instances running vulnerable FIPS modules
How to Mitigate CVE-2026-31790
Immediate Actions Required
- Update OpenSSL to patched versions as soon as they become available from the vendor
- Implement the recommended workaround by calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before any EVP_PKEY_encapsulate() operations
- Audit applications for usage of RSASVE key encapsulation with externally provided RSA public keys
- Consider temporarily disabling acceptance of external RSA public keys in high-risk applications until patches are applied
Patch Information
OpenSSL has released security patches addressing this vulnerability. Multiple commits have been published to fix the improper return value handling:
- GitHub OpenSSL Commit Fix
- GitHub OpenSSL Commit Update
- GitHub OpenSSL Commit Change
- GitHub OpenSSL Commit Modification
- GitHub OpenSSL Commit Revision
For complete details, refer to the OpenSSL Security Advisory 20260407.
Workarounds
- Validate all RSA public keys before use by calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() prior to EVP_PKEY_encapsulate()
- Implement application-level input validation to reject malformed or suspicious RSA public keys
- Initialize ciphertext buffers with zeroes before encapsulation operations to reduce exposure of sensitive stale data
- Restrict acceptance of RSA public keys to trusted sources only until patches can be deployed
// Workaround: Validate RSA public key before encapsulation
EVP_PKEY *pkey = /* externally provided RSA public key */;
// Validate the public key before encapsulation
if (EVP_PKEY_public_check(pkey) != 1) {
// Key validation failed - reject the key
fprintf(stderr, "Invalid RSA public key rejected\n");
EVP_PKEY_free(pkey);
return -1;
}
// Proceed with encapsulation only after successful validation
ret = EVP_PKEY_encapsulate(ctx, ciphertext, &ciphertext_len, secret, &secret_len);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
