CVE-2026-31790

Issue summary: Applications using RSASVE key encapsulation to establish<br /> a secret encryption key can send contents of an uninitialized memory buffer to<br /> a malicious peer.<br /> <br /> Impact summary: The uninitialized buffer might contain sensitive data from the<br /> previous execution of the application process which leads to sensitive data<br /> leakage to an attacker.<br /> <br /> RSA_public_encrypt() returns the number of bytes written on success and -1<br /> on error. The affected code tests only whether the return value is non-zero.<br /> As a result, if RSA encryption fails, encapsulation can still return success to<br /> the caller, set the output lengths, and leave the caller to use the contents of<br /> the ciphertext buffer as if a valid KEM ciphertext had been produced.<br /> <br /> If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an<br /> attacker-supplied invalid RSA public key without first validating that key,<br /> then this may cause stale or uninitialized contents of the caller-provided<br /> ciphertext buffer to be disclosed to the attacker in place of the KEM<br /> ciphertext.<br /> <br /> As a workaround calling EVP_PKEY_public_check() or<br /> EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate<br /> the issue.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.