{"id":"JLSEC-2026-246","summary":"Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact...","details":"Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","modified":"2026-04-27T19:02:53.935709479Z","published":"2026-04-27T18:33:55.942Z","upstream":["CVE-2023-6237","EUVD-2023-58483","GHSA-hvc4-mjv4-5mw6"],"database_specific":{"sources":[{"imported":"2026-04-27T16:33:38.884Z","published":"2024-04-25T07:15:45.270Z","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-6237","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6237","database_specific":{"status":"Deferred"},"id":"CVE-2023-6237","modified":"2026-04-15T00:35:42.020Z"},{"imported":"2026-04-27T16:34:49.999Z","published":"2024-04-25T09:32:09Z","url":"https://api.github.com/advisories/GHSA-hvc4-mjv4-5mw6","modified":"2024-11-01T18:32:30Z","html_url":"https://github.com/advisories/GHSA-hvc4-mjv4-5mw6","id":"GHSA-hvc4-mjv4-5mw6"},{"imported":"2026-04-27T16:33:19.097Z","published":"2024-04-25T06:27:26Z","url":"https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2023-58483","modified":"2024-11-01T14:28:51Z","html_url":"https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-58483","id":"EUVD-2023-58483"}],"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"type":"WEB","url":"https://github.com/advisories/GHSA-hvc4-mjv4-5mw6"},{"type":"WEB","url":"https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d"},{"type":"WEB","url":"https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a"},{"type":"WEB","url":"https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6237"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20240531-0007"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20240531-0007/"},{"type":"WEB","url":"https://www.openssl.org/news/secadv/20240115.txt"}],"affected":[{"package":{"name":"OpenSSL_jll","ecosystem":"Julia","purl":"pkg:julia/OpenSSL_jll?uuid=458c3c95-2e84-50aa-8efc-19380b2a3a95"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.0.8+0"},{"fixed":"3.0.13+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-246.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}