SEVEN vulnerabilities have been patched in OpenSSL, with the data leakage issue tracked as CVE-2026-31790 and rated moderate severity. The flaw affects applications using RSASVE key encapsulation to establish a secret encryption key, where the library may return a success message despite failing to verify encryption, exposing data from an uninitialised memory buffer to an attacker.
The uninitialised buffer might contain sensitive data from the previous execution of the application process, leading to sensitive data leakage to an attacker, according to advisory. OpenSSL notes that versions 3.6, 3.5, 3.4, 3.3 and 3.0 are affected, while OpenSSL 1.0.2 and 1.1.1 are not impacted. The remaining vulnerabilities are classified as low severity, with the majority able to crash the application and cause a DoS condition. Updates were released by OpenSSL developers in January addressing a dozen vulnerabilities prior to this patch, including a high-severity flaw in 2025.