OpenSSL Release Announcement for 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg and 1.0.2zp

Apr 7, 2026

Release Announcement for OpenSSL Library 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg and 1.0.2zp

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

Changes and CVEs fixed in 3.6.2:

CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE Encapsulation.
CVE-2026-28386 - Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512 Support.
CVE-2026-28387 - Potential Use-after-free in DANE Client Code.
CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
CVE-2026-28389 - Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo.
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo.
CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion.

Changes and CVEs fixed in 3.5.6:

CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE Encapsulation.
CVE-2026-28387 - Potential Use-after-free in DANE Client Code.
CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
CVE-2026-28389 - Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo.
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo.
CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion.

CVEs fixed in 3.4.5:

CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE Encapsulation.
CVE-2026-28387 - Potential Use-after-free in DANE Client Code.
CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
CVE-2026-28389 - Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo.
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo.
CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion.

CVEs fixed in 3.3.7:

CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE Encapsulation.
CVE-2026-28387 - Potential Use-after-free in DANE Client Code.
CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
CVE-2026-28389 - Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo.
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo.
CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion.

CVEs fixed in 3.0.20:

CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE Encapsulation.
CVE-2026-28387 - Potential Use-after-free in DANE Client Code.
CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
CVE-2026-28389 - Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo.
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo.
CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion.

CVEs fixed in 1.1.1zg: (premium support customers only)

CVE-2026-28387 - Potential Use-after-free in DANE Client Code.
CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
CVE-2026-28389 - Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo.
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo.

CVEs fixed in 1.0.2zp: (premium support customers only)

CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
CVE-2026-28389 - Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo.
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo.

All releases contain miscellaneous minor bug fixes. For details of the changes, refer to the release notes for versions 1.0.2, 1.1.1, 3.0, 3.3, 3.4, 3.5 and 3.6.

Specific notes on upgrading from previous versions are available in the OpenSSL Migration Guide.

OpenSSL Library 3.x is available for download at these URLs:

The distribution file names are for:

OpenSSL Library 3.6.2 - openssl-3.6.2
OpenSSL Library 3.5.6 - openssl-3.5.6
OpenSSL Library 3.4.5 - openssl-3.4.5
OpenSSL Library 3.3.7 - openssl-3.3.7
OpenSSL Library 3.0.20 - openssl-3.0.20
OpenSSL Library 1.1.1zg - openssl-1.1.1zg
OpenSSL Library 1.0.2zp - openssl-1.0.2zp