Data Leakage Vulnerability Patched in OpenSSL

Seven vulnerabilities have been patched with the latest OpenSSL updates, including a flaw that can allow an attacker to obtain sensitive data. The data leakage issue, tracked as CVE-2026-31790 and rated ‘moderate severity’, affects applications that use RSASVE key encapsulation to establish a secret encryption key. The problem is that OpenSSL sometimes fails to properly verify that the encryption succeeded, yet may still return a ‘success’ message, exposing data from an uninitialized memory buffer to the attacker.  “The uninitialized buffer might contain sensitive data from the previous execution of the application process, which leads to sensitive data leakage to an attacker,” OpenSSL developers explained in an advisory. The security hole affects versions 3.6, 3.5, 3.4, 3.3, and 3.0. OpenSSL 1.0.2 and 1.1.1 are not impacted. The remaining vulnerabilities have all been classified as ‘low severity’. A majority can be exploited to crash the application and cause a DoS condition.  Two of the flaws could in theory lead to arbitrary code execution, but one affects an uncommon configuration of OpenSSL, and one involves sending a specially crafted 1GB X.509 certificate. Updates released by OpenSSL developers in January addressed a dozen vulnerabilities, including a high-severity flaw that could be exploited for remote code execution.  High-severity vulnerabilities are now rare in OpenSSL. Only one such vulnerability was found in 2025. Related: High-Severity OpenSSL Vulnerability Found by Apple Allows MitM Attacks Related: RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years Related: OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks Related: Critical Flowise Vulnerability in Attacker Crosshairs WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Severe StrongBox Vulnerability Patched in Android GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack  White House Seeks to Slash CISA Funding by $707 Million Wynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack T-Mobile Sets the Record Straight on Latest Data Breach Filing Apple Rolls Out DarkSword Exploit Protection to More Devices Cybersecurity M&A Roundup: 38 Deals Announced in March 2026 Toy Giant Hasbro Hit by Cyberattack Latest News RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years FBI: Cybercrime Losses Neared $21 Billion in 2025 Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption  Evasive Masjesu DDoS Botnet Targets IoT Devices Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Pamela McLeod has been named as CISO of the state of New Hampshire. Aspen Digital has named Matt Altomare as its new Senior Director for Cybersecurity Programs. Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea. More People On The Move Expert Insights The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Email