| # OpenSSL Advisory: April 7th, 2026 (BoringSSL Not Affected) |
| |
| OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20260407.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2026-31790 | Incorrect Failure Handling in RSA KEM RSASVE Encapsulation | Moderate | Not affected, issue was introduced after fork |
| CVE-2026-28386 | Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512 Support | Low | Not affected, issue was introduced after fork |
| CVE-2026-28387 | Potential Use-after-free in DANE Client Code | Low | Not affected, issue was introduced after fork |
| CVE-2026-28388 | NULL Pointer Dereference When Processing a Delta CRL | Low | Not affected, impacted code was removed from BoringSSL in [November 2023](https://boringssl-review.googlesource.com/c/boringssl/+/63929) |
| CVE-2026-28389 | Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo | Low | Not affected, impacted code was removed from BoringSSL in the initial fork |
| CVE-2026-28390 | Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo | Low | Not affected, impacted code was removed from BoringSSL in the initial fork |
| CVE-2026-31789 | Heap Buffer Overflow in Hexadecimal Conversion | Low | Not affected, issue was introduced after fork |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
