OpenSSL Releases Patch Multiple CVEs Across Supported Branches
The OpenSSL Project released updated versions across multiple supported branches to fix a set of security flaws in the SSL/TLS toolkit, with OpenSSL 3.6.2 carrying the broadest set of patches. The updates address issues including incorrect failure handling in RSA KEM RSASVE encapsulation, an out-of-bounds read in AES-CFB-128 on x86-64 systems with AVX-512 support, a potential use-after-free in DANE client code, several NULL pointer dereference bugs, and a heap buffer overflow in hexadecimal conversion. OpenSSL said the most severe issue in the release was rated Moderate.
Additional releases — 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg, and 1.0.2zp — also shipped with security fixes and minor bug corrections, though older branches received smaller subsets of the patches. The 3.6.2 release also repaired two regressions introduced in 3.6.0 affecting X509_V_FLAG_CRL_CHECK_ALL behavior and stapled OCSP response handling that could trigger handshake failures. Administrators running OpenSSL 3.6.x on x86-64 systems with AVX-512 enabled were specifically urged to prioritize the AES-CFB-128 fix because of memory-read exposure.
Timeline
Apr 7, 2026
OpenSSL 3.6.2 patches multiple CVEs and 3.6.0 regressions
The 3.6.2 release fixed the broadest set of issues, including flaws in RSA KEM RSASVE failure handling, an AVX-512-related AES-CFB-128 out-of-bounds read, a DANE client use-after-free, several NULL dereferences, and a heap buffer overflow in hexadecimal conversion. It also repaired two regressions introduced in OpenSSL 3.6.0 affecting CRL checking behavior and stapled OCSP response handling.
Apr 7, 2026
OpenSSL releases 3.6.2 and other supported branch updates
On April 7, 2026, the OpenSSL Project released OpenSSL 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg, and 1.0.2zp to address multiple security vulnerabilities and minor bugs across supported branches.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
OpenSSL January Security Update Fixes CMS and PKCS#12 Stack Overflows With RCE Risk
**OpenSSL released a security update on January 27, 2026**, addressing **12 vulnerabilities** across supported branches, including **one High-severity issue with potential remote code execution (RCE)**, one Moderate, and multiple Low-severity flaws. The most serious vulnerability, **CVE-2025-15467 (High)**, is a **pre-authentication stack buffer overflow** in **CMS `AuthEnvelopedData` parsing** when using AEAD ciphers (e.g., **AES-GCM**); a crafted CMS message with an **oversized IV in ASN.1 parameters** can trigger a crash and may enable code execution in applications that parse **untrusted CMS/PKCS#7 content** (notably **S/MIME** workflows). Both sources emphasize that while **DoS is the most likely outcome in many environments**, the presence of a stack write primitive makes the issue operationally significant where untrusted CMS is processed. A second notable issue, **CVE-2025-11187 (Moderate)**, involves a **stack overflow during PKCS#12 MAC verification** (PBMAC1/PBKDF2-related validation), where attacker-controlled parameters (e.g., key length) can lead to crashes and potentially more severe impact when processing **untrusted PKCS#12 files** (e.g., certificate import/export, PKI/CA tooling). Affected versions called out include **OpenSSL 3.x** (with additional low-severity issues spanning older branches such as **1.0.2 and 1.1.1**), and patched releases include **3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19** (with corresponding fixes for older maintained lines). Datadog notes **OpenSSL 3.x FIPS modules are not affected** by the highlighted CMS and PKCS#12 overflow issues, and both sources point to higher risk in services that ingest these formats from external or user-supplied inputs (e.g., S/MIME gateways, certificate management services).
1 months ago
OpenSSL Security Advisory for CMS and PKCS#12 Buffer Overflows
OpenSSL issued a **corrected security advisory** for its January 2026 update, adding **CVE-2026-22795** and **CVE-2026-22796** to the bulletin. The issues are described as **buffer overflows** affecting OpenSSL’s handling of **CMS** and **PKCS#12**, which can be triggered via crafted cryptographic inputs and may lead to memory corruption and potential exploitation depending on how vulnerable code paths are reached in consuming applications. A technical write-up of the same OpenSSL update highlights the CMS and PKCS#12 parsing risk and reinforces the need for rapid patching across environments that ingest untrusted certificates, signed messages, or PKCS#12 bundles (common in enterprise identity and certificate workflows). Other items in the set are unrelated (Firefox WebRTC RCE, Kubernetes authorization-to-RCE technique, a separate vulnerability-chain case study, operational security guidance, and non-OpenSSL security news) and should not be conflated with the OpenSSL advisory.
1 months ago
rust-openssl Flaws Enable Memory Disclosure and Buffer Overwrite
Two high-severity vulnerabilities were disclosed in **rust-openssl**, the Rust bindings for OpenSSL, affecting multiple `0.9.x` and `0.10.x` releases prior to **`0.10.78`**. **`CVE-2026-41898`** affects versions from `0.9.24` up to, but not including, `0.10.78`, where several FFI trampoline callback paths passed a closure-returned `usize` to OpenSSL without validating it against the output buffer size. The flaw can trigger buffer overflows and leak adjacent memory to a network peer, and it is mapped to **`CWE-126`** and **`CWE-130`**. A second issue, **`CVE-2026-41681`**, affects versions from `0.10.39` up to, but not including, `0.10.78`, in `MdCtxRef::digest_final()`, which writes `EVP_MD_CTX_size(ctx)` bytes to the caller buffer without checking whether the buffer is large enough. The resulting out-of-bounds write can cause stack corruption and is reachable from safe Rust, with the weakness classified as **`CWE-121`**. Both vulnerabilities were addressed in **`rust-openssl 0.10.78`**, with public advisories, code references, and fix details released alongside the CVE records.
1 weeks ago