CVE Catalog

CVE-2026-7531

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile — higher than 20% of all known CVEs

Summary

Use-after-free vulnerability in PQC hybrid key-share handling. This is an incomplete fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

Risk Assessment

The risk for the organization is the possibility of remote code execution or system crash by an attacking TLS server, which could lead to breach of confidentiality and availability of services.

Recommendation

It is recommended to immediately update to version 5.9.2 or later, which contains a complete fix for this vulnerability. Also monitor TLS 1.3 communication with hybrid PQC keys.

Original NVD description (English source)

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS