OpenSSL has released version 3.6.2 as a security patch update that fixes eight vulnerabilities, with the project rating the most severe issue as Moderate. The update addresses flaws in RSA KEM handling, AES-CFB-128 on x86-64 systems with AVX-512, DANE client code, CMS processing, delta CRL handling, and hexadecimal conversion.
The vulnerabilities fixed in OpenSSL 3.6.2 are:
- CVE-2026-31790
- CVE-2026-2673
- CVE-2026-28386
- CVE-2026-28387
- CVE-2026-28388
- CVE-2026-28389
- CVE-2026-28390
- CVE-2026-31789
Among the issues fixed in this release are incorrect failure handling in RSA KEM RSASVE encapsulation, loss of key agreement group tuple structure when the DEFAULT keyword is used in server-side configuration, and an out-of-bounds read in AES-CFB-128 on x86-64 CPUs with AVX-512 support.
OpenSSL 3.6.2 also resolves a potential use-after-free in DANE client code, a heap buffer overflow in hexadecimal conversion, and several NULL pointer dereference bugs affecting delta CRL processing and CMS recipient info handling.
For more details, see the changelog.
