| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Openssl products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2026-41898 | The FFI trampolines behind `SslContextBuilder::set_psk_client_callback`, `set_psk_server_callback`, `set_cookie_generate_cb`, and `set_stateless_cookie_generate_cb` forwarded the user closure's retur... | 9.8 | 674 | Neutral | No |
| Yes |
| CVE-2026-41681 | `EVP_DigestFinal()` always writes `EVP_MD_CTX_size(ctx)` to the `out` buffer. If `out` is smaller than that, `MdCtxRef::digest_final()` writes past its end, usually corrupting the stack. This is reach... | 9.8 | 588 | Neutral | No | Yes |
| CVE-2026-41678 | ### Summary ``aes::unwrap_key()`` has an incorrect bounds assertion on the out buffer size, which can lead to out-of-bounds write. ### Details ``aes::unwrap_key()`` contains an incorrect assertion: i... | 9.8 | 717 | Neutral | No | Yes |
| CVE-2026-41677 | The `*_from_pem_callback` APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of Open... | 9.1 | 653 | Neutral | No | Yes |
| CVE-2026-41676 | `Deriver::derive` (and `PkeyCtxRef::derive`) sets `len = buf.len()` and passes it as the in/out length to `EVP_PKEY_derive`, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF... | 9.8 | 717 | Neutral | No | Yes |
| CVE-2026-31790 | Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitiali... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-31789 | Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a cra... | 9.8 | 717 | Neutral | No | Yes |
| CVE-2026-28390 | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-contro... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-28389 | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-28388 | Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A N... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-28387 | Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-f... | 8.1 | 611 | Neutral | No | Yes |
| CVE-2026-28386 | Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks... | 7.5 | 471 | Neutral | No | Yes |
| CVE-2026-27459 | If a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Cookie values that are too long are ... | 9.8 | 674 | Neutral | No | Yes |
| CVE-2026-27448 | If a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security... | 5.3 | 124 | Neutral | No | Yes |
| CVE-2026-22796 | Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an inval... | 5.3 | 124 | Neutral | No | Yes |
| CVE-2026-22795 | Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be cause... | 5.5 | 125 | Neutral | No | Yes |
| CVE-2025-69421 | Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash ... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2025-69420 | Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NU... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2025-69419 | Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte wri... | 7.4 | 496 | Neutral | No | Yes |
| CVE-2025-69418 | Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block... | 4.0 | 103 | Neutral | No | Yes |