CVE-2026-7531
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
Use-after-free vulnerability in PQC hybrid key-share handling. This is an incomplete fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.
Risk Assessment
The risk for the organization is the possibility of remote code execution or system crash by an attacking TLS server, which could lead to breach of confidentiality and availability of services.
Recommendation
It is recommended to immediately update to version 5.9.2 or later, which contains a complete fix for this vulnerability. Also monitor TLS 1.3 communication with hybrid PQC keys.
Original NVD description (English source)
Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

