CVE-2026-31789

{"id": "CVE-2026-31789", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-04-07T22:16:21.617", "references": [{"url": "https://github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa65ecf", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9930f0521", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://openssl-library.org/news/secadv/20260407.txt", "tags": ["Vendor Advisory"], "source": "openssl-security@openssl.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "openssl-security@openssl.org", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Issue summary: Converting an excessively large OCTET STRING value to\na hexadecimal string leads to a heap buffer overflow on 32 bit platforms.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nan attacker controlled code execution or other undefined behavior.\n\nIf an attacker can supply a crafted X.509 certificate with an excessively\nlarge OCTET STRING value in extensions such as the Subject Key Identifier\n(SKID) or Authority Key Identifier (AKID) which are being converted to hex,\nthe size of the buffer needed for the result is calculated as multiplication\nof the input length by 3. On 32 bit platforms, this multiplication may overflow\nresulting in the allocation of a smaller buffer and a heap buffer overflow.\n\nApplications and services that print or log contents of untrusted X.509\ncertificates are vulnerable to this issue. As the certificates would have\nto have sizes of over 1 Gigabyte, printing or logging such certificates\nis a fairly unlikely operation and only 32 bit platforms are affected,\nthis issue was assigned Low severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}], "lastModified": "2026-04-23T15:39:34.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B28A8143-89A4-4332-A1F8-A65FB5AA829F", "versionEndExcluding": "3.0.20", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF303B21-D9BF-461D-B7B0-A3FE1D557A9F", "versionEndExcluding": "3.3.7", "versionStartIncluding": "3.3.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DCCE43D0-8F17-475D-9EE6-842F758A9905", "versionEndExcluding": "3.4.5", "versionStartIncluding": "3.4.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6BC0271-444D-4597-BF05-DC60034EAA49", "versionEndExcluding": "3.5.6", "versionStartIncluding": "3.5.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A9E621D-29D8-418A-BF37-BED333C14507", "versionEndExcluding": "3.6.2", "versionStartIncluding": "3.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "openssl-security@openssl.org"}