Is Veeam OpenSSL3 FIPS Provider affected by CVE CVE-2026-2673 ?

[massimiliano.rizzi]

Hello experts,

I just wanted to check whether the Veeam OpenSSL3 FIPS Provider that ships with the most recent versions of Veeam Backup & Replication and Veeam Agent for Microsoft Windows is affected by the vulnerability CVE-2026-2673.

Thanks!

Massimiliano

[Mildur]

Hi Massimiliano,

A quick review of the provided CVE confirms that only OpenSSL 3.6 and 3.5 are affected.

According to our Open Source Software list, we don’t use either of those versions; we use OpenSSL 3.0, which is explicitly listed as not affected. The same source also states that OpenSSL FIPS modules are not affected.

Do you have any information that suggests otherwise?

Source: https://www.cve.org/CVERecord?id=CVE-2026-2673

No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.

Our Open Source Software list:
https://www.veeam.com/legal/eula-oss.ht ... version=13


Best,
Fabian