VMware ESXi assessment for OpenSSL vulnerability CVE-2026-2673
search cancel

VMware ESXi assessment for OpenSSL vulnerability CVE-2026-2673

book

Article ID: 436364

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Questions about the impact of CVE-2026-2673 (OpenSSL insecure algorithm downgrade) on VMware ESXi 7.x and 8.x environments.

Environment

  • VMware ESXi 8.0.x
  • VMware ESXi 7.0.x

Cause

CVE-2026-2673 is specific to OpenSSL version 3.5.x and implementations utilizing specific TLS 1.3 keyword handling.

Resolution

VMware ESXi 7.0 and 8.0 are not affected by CVE-2026-2673.

  • ESXi 8.0.x utilizes the OpenSSL 3.0 series (e.g., OpenSSL 3.0.19).
  • ESXi 7.0.x utilizes the OpenSSL 1.0.2 series.

According to the official OpenSSL project, versions 3.4, 3.3, 3.0, 1.1.1, and 1.0.2 are not affected by this issue. No remediation or patching is required for ESXi hosts regarding this CVE.

Additional Information

Refer to the release notes of the specific ESXi version to determine which OpenSSL package is present.

ESXi 7.X - https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-70u3o-release-notes.html

ESXi 8.X - https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3i-release-notes.html

Powered by Wolken Software