Nikola Pajkovsky

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A heap out-of-bounds read can occur during CMS password-based decryption (RFC 3211 / PWRI key unwrap) when processing attacker-supplied CMS data. The issue arises in the `kek unwrap key()` function when an attacker selects a stream-mode Key Encryption Key (KEK) cipher via an OID in the `keyEncryptionAlgorithm`. Because the system does not require the cipher to be a block cipher, the minimum length check is bypassed, allowing the allocated buffer for the unwrapped key to be too small for the RFC-specified check-bytes. This can lead to a crash and subsequent Denial of Service if the input buffer ends at a memory page boundary and the following page is unmapped. Applications using `CMS decrypt()` or `CMS decrypt set1 password()` on untrusted data are affected. No password knowledge is required to trigger this issue. FIPS modules are not affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL FIPS modules versions 3.0 through 3.6 **Description** Applications using RSASVE key encapsulation can send contents of an uninitialized memory buffer to a malicious peer, potentially leading to sensitive data leakage. This occurs when applications use `EVP PKEY encapsulate()` with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key. The `RSA public encrypt()` function returns the number of bytes written on success and -1 on error, but the affected code only checks if the return value is non-zero. If RSA encryption fails, the encapsulation can still return success, allowing the caller to use uninitialized ciphertext. Calling `EVP PKEY public check()` or `EVP PKEY public check quick()` before `EVP PKEY encapsulate()` can mitigate this issue. **Recommendations** Apply the OpenSSL April 2026 security update immediately. If you cannot update immediately, call `EVP PKEY public check()` or `EVP PKEY public check quick()` before `EVP PKEY encapsulate()` as a mitigation. Audit uses of RSASVE/`EVP PKEY encapsulate()` and ensure public keys are validated prior to encapsulation. Rotate keys/secrets if exposure is suspected.