PatchSiren cyber security CVE debrief
CVE-2026-31790 Cert Portal CVE debrief
CVE-2026-31790 is a high-severity information-disclosure issue described in the CISA-republished Siemens advisory. The flaw can cause an application using RSASVE key encapsulation to return success even when RSA encryption fails, leaving the caller to use an output buffer that may contain stale or uninitialized data. If that buffer is sent to a peer, sensitive data from prior process execution may be exposed.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators of Siemens SIMATIC CN 4100 deployments on affected versions, and developers or integrators using EVP_PKEY_encapsulate() with RSA/RSASVE. This is especially important where attacker-supplied public keys may be accepted without prior validation.
Technical summary
The advisory states that RSA_public_encrypt() returns the number of bytes written on success and -1 on error, but the affected code checks only whether the return value is non-zero. In the failing case, encapsulation can still report success, set output lengths, and allow the caller to use the contents of the ciphertext buffer as though a valid KEM ciphertext had been produced. If EVP_PKEY_encapsulate() is used with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, stale or uninitialized contents of the caller-provided ciphertext buffer may be disclosed. The supplied advisory notes also say the issue affects FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1, and 3.0.
Defensive priority
High. Prioritize patching affected systems and validate key-handling paths that use RSASVE encapsulation.
Recommended defensive actions
- Update to Siemens SIMATIC CN 4100 V5.0 or later, per the supplied remediation.
- Before calling EVP_PKEY_encapsulate(), validate the RSA public key with EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() when using RSASVE.
- Inventory whether affected FIPS module versions 3.6, 3.5, 3.4, 3.3, 3.1, or 3.0 are present in your environment.
- Treat any possibly disclosed ciphertext/output buffers as sensitive and review whether prior-process data could have been exposed; rotate secrets if warranted by your risk assessment.
Evidence notes
Source corpus says the advisory was published on 2026-05-12 and republished by CISA on 2026-05-14 based on Siemens ProductCERT SSA-032379. The advisory text explicitly describes disclosure of uninitialized memory contents, the RSA_public_encrypt() return-value handling issue, and the validation workaround. The supplied vendor/product mapping is low-confidence and should be reviewed against the advisory references.
Official resources
-
CVE-2026-31790 CVE record
CVE.org
-
CVE-2026-31790 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2026-05-12 in the CISA CSAF advisory feed, with a CISA republication on 2026-05-14 incorporating Siemens ProductCERT SSA-032379.