Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
OpenSSL 1.1 Update Fixes Multiple Security Risks
SUSE-SU-2026:1386-1
Summary
This update fixes five security risks in OpenSSL 1.1 that could allow an attacker to crash the system or steal sensitive information. These risks are related to how OpenSSL handles certain types of data, and could be exploited by a malicious email or website. To stay secure, update your OpenSSL 1.1 installation as soon as possible.
What to do
- Update openssl-1_1 to version 1.1.1w-150700.11.16.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| SUSE:Linux Enterprise Module for Basesystem 15 SP7 | – | openssl-1_1 |
< 1.1.1w-150700.11.16.1 Fix: upgrade to 1.1.1w-150700.11.16.1
|
| SUSE:Linux Enterprise Module for Development Tools 15 SP7 | – | openssl-1_1 |
< 1.1.1w-150700.11.16.1 Fix: upgrade to 1.1.1w-150700.11.16.1
|
| SUSE:Linux Enterprise Module for Legacy 15 SP7 | – | openssl-1_1 |
< 1.1.1w-150700.11.16.1 Fix: upgrade to 1.1.1w-150700.11.16.1
|
Original title
Security update for openssl-1_1
Original description
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- https://www.suse.com/support/update/announcement/2026/suse-su-20261386-1/ Vendor Advisory
- https://bugzilla.suse.com/1260441 Third Party Advisory
- https://bugzilla.suse.com/1260442 Third Party Advisory
- https://bugzilla.suse.com/1260443 Third Party Advisory
- https://bugzilla.suse.com/1260444 Third Party Advisory
- https://bugzilla.suse.com/1261678 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2026-28387 URL
- https://www.suse.com/security/cve/CVE-2026-28388 URL
- https://www.suse.com/security/cve/CVE-2026-28389 URL
- https://www.suse.com/security/cve/CVE-2026-28390 URL
- https://www.suse.com/security/cve/CVE-2026-31789 URL
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026