Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.

• https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac
• https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482
• https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406
• https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790
• https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e
• https://openssl-library.org/news/secadv/20260407.txt

• Openssl » Openssl » Version: 3.0.0
  cpe:2.3:a:openssl:openssl:3.0.0
• Openssl » Openssl » Version: 3.0.1
  cpe:2.3:a:openssl:openssl:3.0.1
• Openssl » Openssl » Version: 3.0.10
  cpe:2.3:a:openssl:openssl:3.0.10
• Openssl » Openssl » Version: 3.0.11
  cpe:2.3:a:openssl:openssl:3.0.11
• Openssl » Openssl » Version: 3.0.12
  cpe:2.3:a:openssl:openssl:3.0.12
• Openssl » Openssl » Version: 3.0.13
  cpe:2.3:a:openssl:openssl:3.0.13
• Openssl » Openssl » Version: 3.0.14
  cpe:2.3:a:openssl:openssl:3.0.14
• Openssl » Openssl » Version: 3.0.15
  cpe:2.3:a:openssl:openssl:3.0.15
• Openssl » Openssl » Version: 3.0.19
  cpe:2.3:a:openssl:openssl:3.0.19
• Openssl » Openssl » Version: 3.0.2
  cpe:2.3:a:openssl:openssl:3.0.2
• Openssl » Openssl » Version: 3.0.3
  cpe:2.3:a:openssl:openssl:3.0.3
• Openssl » Openssl » Version: 3.0.4
  cpe:2.3:a:openssl:openssl:3.0.4
• Openssl » Openssl » Version: 3.0.5
  cpe:2.3:a:openssl:openssl:3.0.5
• Openssl » Openssl » Version: 3.0.6
  cpe:2.3:a:openssl:openssl:3.0.6
• Openssl » Openssl » Version: 3.0.7
  cpe:2.3:a:openssl:openssl:3.0.7
• Openssl » Openssl » Version: 3.0.8
  cpe:2.3:a:openssl:openssl:3.0.8
• Openssl » Openssl » Version: 3.0.9
  cpe:2.3:a:openssl:openssl:3.0.9
• Openssl » Openssl » Version: 3.3.0
  cpe:2.3:a:openssl:openssl:3.3.0
• Openssl » Openssl » Version: 3.3.1
  cpe:2.3:a:openssl:openssl:3.3.1
• Openssl » Openssl » Version: 3.3.2
  cpe:2.3:a:openssl:openssl:3.3.2
• Openssl » Openssl » Version: 3.3.3
  cpe:2.3:a:openssl:openssl:3.3.3
• Openssl » Openssl » Version: 3.3.4
  cpe:2.3:a:openssl:openssl:3.3.4
• Openssl » Openssl » Version: 3.3.5
  cpe:2.3:a:openssl:openssl:3.3.5
• Openssl » Openssl » Version: 3.3.6
  cpe:2.3:a:openssl:openssl:3.3.6
• Openssl » Openssl » Version: 3.4.0
  cpe:2.3:a:openssl:openssl:3.4.0
• Openssl » Openssl » Version: 3.4.1
  cpe:2.3:a:openssl:openssl:3.4.1
• Openssl » Openssl » Version: 3.4.2
  cpe:2.3:a:openssl:openssl:3.4.2
• Openssl » Openssl » Version: 3.4.3
  cpe:2.3:a:openssl:openssl:3.4.3
• Openssl » Openssl » Version: 3.4.4
  cpe:2.3:a:openssl:openssl:3.4.4
• Openssl » Openssl » Version: 3.5.0
  cpe:2.3:a:openssl:openssl:3.5.0
• Openssl » Openssl » Version: 3.5.1
  cpe:2.3:a:openssl:openssl:3.5.1
• Openssl » Openssl » Version: 3.5.2
  cpe:2.3:a:openssl:openssl:3.5.2
• Openssl » Openssl » Version: 3.5.3
  cpe:2.3:a:openssl:openssl:3.5.3
• Openssl » Openssl » Version: 3.5.4
  cpe:2.3:a:openssl:openssl:3.5.4
• Openssl » Openssl » Version: 3.5.5
  cpe:2.3:a:openssl:openssl:3.5.5
• Openssl » Openssl » Version: 3.6.0
  cpe:2.3:a:openssl:openssl:3.6.0
• Openssl » Openssl » Version: 3.6.1
  cpe:2.3:a:openssl:openssl:3.6.1