OpenSSL 3.6.2 - Eight CVEs Fixed in Latest Release

What Happened

OpenSSL has released version 3.6.2, which includes patches for eight CVEs across various components. The most severe issue is rated as Moderate. This update is crucial for users to maintain the security of their systems.

What Got Fixed

The release addresses several vulnerabilities:

• CVE-2026-31790: Fixes incorrect failure handling in RSA KEM RSASVE encapsulation.
• CVE-2026-2673: Resolves a loss of key agreement group structure when using the DEFAULT keyword in server-side configurations.
• CVE-2026-28386: Addresses an out-of-bounds read in AES-CFB-128 on x86-64 CPUs with AVX-512 support.
• CVE-2026-28387: Fixes a potential use-after-free in DANE client code.
• CVE-2026-28388: Resolves a NULL pointer dereference when processing a delta CRL.
• CVE-2026-28389 and CVE-2026-28390: Fix two NULL dereference bugs in CMS recipient info handling.
• CVE-2026-31789: Addresses a heap buffer overflow in hexadecimal conversion.

Scope and Affected Versions

Versions 3.6 and 3.5 of OpenSSL are vulnerable to these issues. However, versions 3.4, 3.3, 3.0, 1.0.2, and 1.1.1 are not affected by some of these CVEs. Administrators running 3.6.x on x86-64 systems with AVX-512 enabled should prioritize the fix for AES-CFB-128 due to the memory-read exposure.

Regression Repairs

In addition to the CVE fixes, OpenSSL 3.6.2 addresses two behavioral regressions introduced in version 3.6.0. These include restoring the pre-3.6.0 behavior of the X509_V_FLAG_CRL_CHECK_ALL flag and fixing a regression related to stapled OCSP responses that caused handshake failures.

What You Should Do

If you're using OpenSSL, it is vital to update to version 3.6.2 to mitigate these vulnerabilities. Ensure that your systems are running the latest version to protect against potential exploits. Regularly check for updates and apply them promptly to maintain security.