EXECUTIVE SUMMARY
A vulnerability (CVE-2026-31790) in OpenSSL RSA KEM handling allows exposure of sensitive memory. Im-proper error validation causes failed encryption to be treated as successful. Attackers can exploit this to leak uninitialized memory via crafted RSA public keys.
- CVE: CVE-2026-31790
- CVSS:7.5
- Active Region: Global
- Affected Sector: IT, Cloud, Web Services, Cryptographic Systems
- Affected Product: OpenSSL 3.x (RSA KEM / RSASVE)
- Severity: High
- Published Date: April 7, 2026
TECHNICAL DETAILS
- Target: The vulnerability affects applications using OpenSSL’s RSA KEM (RSASVE) through the EVP_PKEY_encapsulate() API, especially those handling external or user-supplied public keys for key exchange.
- Root Cause: The issue stems from improper error handling in the RSA_public_encrypt() function. Instead of correctly verifying whether the function returns a positive value for success and -1 for failure, the affected logic only checks if the return value is non-zero. As a result, a failure condition (-1) is incorrectly interpreted as a successful encryption operation, allowing the process to continue with invalid or uninitialized data.
- Prerequisite for Exploitation: Exploitation requires that the application accepts attacker-controlled RSA public keys without performing adequate validation. The system must be……



