CVEs and the FIPS provider

After the release of OpenSSL 3.0.0, several CVEs have been identified and resolved. While the majority of these vulnerabilities are unrelated to the validated FIPS providers, a few of them are applicable. This table lists all of the CVEs issued since the FIPS providers’ releases and their relevance to it:

CVE ID Fixed FIPS? Notes
CVE-2026-34180 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-34181 3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-34182 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-34183 3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-35188 3.6.3
4.0.1		 no
CVE-2026-42764 3.5.7
3.6.3
4.0.1		 no
CVE-2026-42765 3.6.3
4.0.1		 no
CVE-2026-42766 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-42767 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-42768 3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-42769 3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-42770 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 yes FFC-DH (X9.42/DHX) peer validation uses the
attacker-supplied q instead of the local key’s q,
skipping proper subgroup membership checking.
Workaround: Call EVP_PKEY_parameters_eq() to compare
the parameters of the remote and local keys
before performing the key exchange.
CVE-2026-42771 4.0.1 no
CVE-2026-45445 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-45446 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-45447 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-7383 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-9076 3.0.21
3.4.6
3.5.7
3.6.3
4.0.1		 no
CVE-2026-31790 3.0.20
3.3.7
3.4.5
3.5.6
3.6.2		 yes Incorrect failure handling in RSA KEM RSASVE
encapsulation may leak uninitialized memory contents.
Workaround: Call EVP_PKEY_public_check() or
EVP_PKEY_public_check_quick() before
EVP_PKEY_encapsulate() to validate the peer’s
RSA public key.
CVE-2026-31789 3.0.20
3.3.7
3.4.5
3.5.6
3.6.2		 no
CVE-2026-28390 3.0.20
3.3.7
3.4.5
3.5.6
3.6.2		 no
CVE-2026-28389 3.0.20
3.3.7
3.4.5
3.5.6
3.6.2		 no
CVE-2026-28388 3.0.20
3.3.7
3.4.5
3.5.6
3.6.2		 no
CVE-2026-28387 3.0.20
3.3.7
3.4.5
3.5.6
3.6.2		 no
CVE-2026-28386 3.6.2 yes Out-of-bounds read in AES-CFB-128 on x86-64 with
AVX-512 and VAES support. Only the 3.6 FIPS module
is affected.
Workaround: AES-CFB-128 is not used by TLS/DTLS;
avoid this mode on affected CPUs, or run on hardware
without AVX-512/VAES.
CVE-2026-2673 3.5.6
3.6.2		 no
CVE-2026-22796 3.0.19
3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2026-22795 3.0.19
3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-69421 3.0.19
3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-69420 3.0.19
3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-69419 3.0.19
3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-69418 3.0.19
3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-68160 3.0.19
3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-66199 3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-15469 3.5.5
3.6.1		 no
CVE-2025-15468 3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-15467 3.0.19
3.3.6
3.4.4
3.5.5
3.6.1		 no
CVE-2025-11187 3.4.4
3.5.5
3.6.1		 no
CVE-2025-9232 3.0.18
3.2.6
3.3.5
3.4.3
3.5.4		 no
CVE-2025-9231 3.2.6
3.3.5
3.4.3
3.5.4		 no
CVE-2025-9230 3.0.18
3.2.6
3.3.5
3.4.3
3.5.4		 no
CVE-2025-4575 3.5.1 no
CVE-2024-13176 3.0.16
3.1.8
3.2.4
3.3.3
3.4.1		 yes Timing side channel in ECDSA signature computations.
Workaround: Avoid using the module for ECDSA
signatures where an attacker can be running
in the same datacenter.
CVE-2024-12797 3.0.16
3.1.8
3.2.4
3.3.3
3.4.1		 no
CVE-2024-9143 3.0.16
3.1.8
3.2.4
3.3.3
3.4.0		 no
CVE-2024-6119 3.0.15
3.1.7
3.2.3
3.3.2		 no
CVE-2024-5535 3.0.15
3.1.7
3.2.3
3.3.2		 no
CVE-2024-4741 3.0.14
3.1.6
3.2.2
3.3.1		 no
CVE-2024-4603 3.0.14
3.1.6
3.2.2
3.3.1		 yes EVP_PKEY_public_check() can take a long time.
Workaround: First check the value returned by
EVP_PKEY_get_bits() and reject too large keys.
CVE-2024-2511 3.0.14
3.1.6
3.2.2		 no
CVE-2024-0727 3.0.13
3.1.5
3.2.1		 no
CVE-2023-6237 3.0.13
3.1.5
3.2.1		 yes EVP_PKEY_public_check() can take a long time.
Workaround: First check the value returned by
EVP_PKEY_get_bits() and reject too large keys.
CVE-2023-6129 3.0.13
3.1.5
3.2.1		 no
CVE-2023-5678 3.0.13
3.1.5		 no
CVE-2023-5363 3.0.12
3.1.4		 no
CVE-2023-4807 3.0.11
3.1.3		 no
Release of 3.1.2 FIPS provider
CVE-2023-3817 3.0.10
3.1.2		 no
CVE-2023-3446 3.0.10
3.1.2		 no
CVE-2023-2975 3.0.10
3.1.2		 no
Release of 3.0.9 FIPS provider
CVE-2023-2650 3.0.9
3.1.1		 no
CVE-2023-1255 3.0.9
3.1.1		 yes Possible denial of service on Arm 64 (aarch64) using AES XTS mode
CVE-2023-0466 3.0.9
3.1.1		 no
CVE-2023-0465 3.0.9
3.1.1		 no
CVE-2023-0464 3.0.9
3.1.1		 no
Release of 3.0.8 FIPS provider
CVE-2023-0401 3.0.8 no
CVE-2023-0286 3.0.8 no
CVE-2023-0217 3.0.8 yes DSA public key checks (but not from TLS)
CVE-2023-0216 3.0.8 no
CVE-2023-0215 3.0.8 no
CVE-2022-4450 3.0.8 no
CVE-2022-4304 3.0.8 yes Timing side channel in RSA
CVE-2022-4203 3.0.8 no
CVE-2022-3996 3.0.8 no
CVE-2022-3786 3.0.7 no
CVE-2022-3602 3.0.7 no
CVE-2022-3358 3.0.6 no
CVE-2022-2274 3.0.5 no Bug introduced in 3.0.4 which isn’t validated
CVE-2022-2097 3.0.5 no Architecture (x86) is not part of validation
CVE-2022-2068 3.0.4 no
CVE-2022-1473 3.0.3 no
CVE-2022-1434 3.0.3 no
CVE-2022-1343 3.0.3 no
CVE-2022-1292 3.0.3 no
CVE-2022-0778 3.0.2 maybe Difficult to encounter inside FIPS boundary
CVE-2021-4160 3.0.1 no Architecture (MIPS) is not part of validation
CVE-2021-4044 3.0.1 no
Release of 3.0.0 FIPS provider
more in this section