OESA-2026-2161 edk2 security update

EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. Security Fixes: Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious...

SUSE CVE-2026-31790

Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process whi...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the RSASVE encapsulation process. An attacker can obtain sensitive information by supplying an invalid RSA public key and triggering the use of uninitialized memory contents as...

ALPINE-CVE-2026-31790

Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process whi...

CVE-2026-31790 Incorrect Failure Handling in RSA KEM RSASVE Encapsulation

Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process whi...

CVE-2026-31790

CVE-2026-31790 affects OpenSSL RSA-based RSASVE encapsulation where RSA_public_encrypt may succeed and output an uninitialized ciphertext buffer if the invocation path returns an error. This can allow leakage of uninitialized data from a prior run of the process to a peer, if an attacker supplies...

PT-2026-31041

Name of the Vulnerable Software and Affected Versions OpenSSL FIPS modules versions 3.0 through 3.6 Description Applications using RSASVE key encapsulation can send contents of an uninitialized memory buffer to a malicious peer, potentially leading to sensitive data leakage. This occurs when...

CVE-2026-22703

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...

EUVD-2026-1868

Cosign verification accepts any valid Rekor entry under certain conditions...

CVE-2026-22703

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...

PT-2026-2253

Name of the Vulnerable Software and Affected Versions Cosign versions prior to 2.6.2 and 3.0.4 Description Cosign is a tool providing code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, a crafted Cosign bundle could successfully verify an artifact even if...

openssl: Excessive time spent checking invalid RSA public keys

A flaw was found in OpenSSL. When the EVPPKEYpubliccheck function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large...

Medium: openssl

Issue Overview: Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVPPKEYparamcheck or EVPPKEYpubliccheck to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that ar...

The vulnerabilities of the functions EVP_PKEY_param_check() and EVP_PKEY_public_check() in the OpenSSL cryptographic library allow a attacker to cause a service failure.

The vulnerability of the EVPPKEYparamcheck and EVPPKEYpubliccheck functions in the OpenSSL cryptographic library is related to uncontrolled resource consumption. Exploiting this vulnerability could allow a remote attacker to cause service interruptions...

DEBIAN-CVE-2024-4603

Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVPPKEYparamcheck or EVPPKEYpubliccheck to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked...

openssl: Excessive time spent checking invalid RSA public keys

A flaw was found in OpenSSL. When the EVPPKEYpubliccheck function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large...

DEBIAN-CVE-2023-6237

Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVPPKEYpubliccheck to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may...

CVE-2023-6237

Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVPPKEYpubliccheck to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may...

AZL-39946 CVE-2023-6237 affecting package openssl for versions less than 3.3.0-1

Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVPPKEYpubliccheck to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may...

The vulnerability of the EVP_PKEY_public_check() function in the OpenSSL library allows a attacker to cause a service failure.

The vulnerability of the EVPPKEYpubliccheck function in the OpenSSL library is related to pointer arithmetic errors. Exploiting this vulnerability could allow a remote attacker to cause a service failure...