CVE-2026-31789 [Critical] | Out-of-bounds Write in Openssl

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-08	—	0.01%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-08

—

0.01%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	[email protected]
5.8	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.0	4.7	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

[email protected]

5.8

3.1

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.0

4.7

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2026-31789

vendor	priority	summary	link
`alpine`	—	CVE-2026-31789: 1 source package rows (openssl); 5 state rows across 5 repos (3.20-main, 3.21-main, 3.22-main, 3.23-main, edge-main); fixed 5, open 0.	https://security.alpinelinux.org/vuln/CVE-2026-31789
`debian`	unimportant	CVE-2026-31789 unimportant priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-31789
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2026-31789
`suse`	high	CVE-2026-31789 severity important: SUSE including 391 source package names (1.1.2-2.16:libopenssl3-3.2.3-150700.5.31.1, 1.1.2-2.16:openssl-3-3.2.3-150700.5.31.1, …), 732 product×package rows across 97 product lines (Container private-registry/harbor-core, Container private-registry/harbor-exporter, … (97 product lines)): Fixed 416, Known Affected 231, Known Not Affected 70, First Fixed 15.	https://www.suse.com/security/cve/CVE-2026-31789/
`ubuntu`	low	CVE-2026-31789 low priority: Ubuntu including 5 source packages (edk2, nodejs, openssl, openssl-fips, openssl1.0), 37 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): not-affected 17, DNE 8, released 5, needs-triage 4, needed 3.	https://ubuntu.com/security/CVE-2026-31789

Affected software / configurations for CVE-2026-31789

Vendor	Product	Version	Raw CPE
openssl	openssl	>= 3.0.0, < 3.0.20	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.3.0, < 3.3.7	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.4.0, < 3.4.5	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.5.0, < 3.5.6	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.6.0, < 3.6.2	cpe:2.3:a:openssl:openssl::::::::

References for CVE-2026-31789

URL	Tags
https://github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde	Patch
https://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa65ecf	Patch
https://github.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49	Patch
https://github.com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9	Patch
https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9930f0521	Patch
https://openssl-library.org/news/secadv/20260407.txt	Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html

URL

CVE-2026-31789 | Heap Buffer Overflow in Hexadecimal Conversion

Exploit prediction scoring system (EPSS) score for CVE-2026-31789

Common vulnerability scoring system (CVSS) metrics for CVE-2026-31789

Weakness enumeration for CVE-2026-31789

GitHub Security Advisory for CVE-2026-31789

OS Trackers for CVE-2026-31789

Affected software / configurations for CVE-2026-31789

References for CVE-2026-31789