290 CVEs

1 in CISA KEV

openssl Vulnerabilities

CVE security advisories and vulnerability history for openssl.

290

Total CVEs

Published

1

In CISA KEV

Exploited in the wild

43

Public exploits

With known exploit

6.6

Avg CVSS

2000–2026

Overview

openssl has 290 published CVE records since 2000, of which 1 are in CISA's Known Exploited Vulnerabilities catalog and 43 have a known public exploit. The average CVSS base score across scored CVEs is 6.6.

This page aggregates every publicly disclosed vulnerability (CVE) affecting openssl products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of openssl's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical6

High31

Medium34

Low3

216 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

1

One of openssl's CVEs is confirmed exploited in the wild.

Public exploits

43

43 of openssl's CVEs have a known public exploit available.

Most affected products

The openssl products with the most published CVEs.

openssl288 CVEs
debian linux46 CVEs
ubuntu linux32 CVEs
node.js30 CVEs
fedora28 CVEs
openssl-src26 CVEs
node24 CVEs
SIMATIC S7-1500 TM MFP - GNU/Linux subsystem19 CVEs

Common weakness types

The CWE weakness categories most often found in openssl CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish openssl CVE records.

Disclosure activity by year

How many openssl CVEs were published each year.

2019

9

2020

6

2021

8

2022

13

2023

19

2024

9

2025

7

2026

20

Latest openssl CVEs

The most recently disclosed vulnerabilities affecting openssl.

Incorrect Failure Handling in RSA KEM RSASVE Encapsulation
CWE-754
High · CVSS 7.5
EPSS 0.0%2026-04-07
Heap Buffer Overflow in Hexadecimal Conversion
CWE-787
High · CVSS 7.2
EPSS 0.0%2026-04-07
Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo
CWE-476
High · CVSS 7.5
EPSS 0.1%2026-04-07
Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo
CWE-476
High · CVSS 7.5
EPSS 0.1%2026-04-07
NULL Pointer Dereference When Processing a Delta CRL
CWE-476
High · CVSS 7.5
EPSS 0.0%2026-04-07
Potential Use-after-free in DANE Client Code
CWE-416
Critical · CVSS 9.1
EPSS 0.0%2026-04-07
Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512 Support
CWE-125
Critical · CVSS 9.1
EPSS 0.0%2026-04-07
OpenSSL TLS 1.3 server may choose unexpected key agreement group
CWE-757
Medium · CVSS 6.5
EPSS 0.0%2026-03-13
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
CWE-754
Medium · CVSS 5.3
EPSS 0.5%2026-01-27
Missing ASN1_TYPE validation in PKCS#12 parsing
CWE-754
Medium · CVSS 5.5
EPSS 0.0%2026-01-27
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
CWE-476
High · CVSS 7.5
EPSS 0.1%2026-01-27
Missing ASN1_TYPE validation in TS_RESP_verify_response() function
CWE-754
High · CVSS 7.5
EPSS 1.1%2026-01-27

Track new openssl CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor openssl CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

Schneider Electric300 CVEs python300 CVEs deltaww296 CVEs openstack294 CVEs PDF-XChange289 CVEs IBM Corporation288 CVEs xwiki285 CVEs open-xchange279 CVEs

Browse all vendors

Frequently asked questions

Common questions about openssl vulnerabilities.

How many CVEs does openssl have?

openssl has 290 published CVE records since 2000, including 27 in the last two years.

How many openssl CVEs are in CISA KEV?

Yes — 1 of openssl's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which openssl products have the most CVEs?

The openssl products with the most published CVEs are openssl, debian linux, ubuntu linux, node.js, fedora.

What are the most common weakness types in openssl CVEs?

openssl's CVEs most often map to these CWE weakness types: CWE-476 (NULL Pointer Dereference), CWE-125 (Out-of-bounds Read), CWE-787 (Out-of-bounds Write), CWE-295 (Improper Certificate Validation).

Are there public exploits for openssl vulnerabilities?

Yes — 43 of openssl's CVEs have a known public exploit.

How many critical openssl vulnerabilities are there?

openssl has 6 critical and 31 high-severity CVEs.

What is the average severity of openssl CVEs?

The average CVSS base score across openssl's scored CVEs is 6.6.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track openssl vulnerabilities

Monitor new openssl vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing