Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-41677

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.

View on NVD

Analysis

The rust-openssl crate (versions 0.9.0 to 0.10.77) contains a vulnerability in its PEM-loading APIs that can cause out-of-bounds memory reads when used with OpenSSL versions prior to 3.0. Developers using Rust for network services or security tools should update to version 0.10.78 to ensure callback return lengths are properly validated.

Severity

Score: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: NONE
A: HIGH
Weakness (CWE): CWE-125CWE-1284

EPSS

Probability of exploitation (next 30 days): 0.0014 (0.1%)
Percentile: 34.4%
EPSS: 2026-05-06

Affects

rust-openssl_project:rust-openssl

Technical description

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.

Published: 4/24/2026, 6:16:29 PM
Last modified: 4/28/2026, 5:34:03 PM

References

HomeEventsBlogResourcesTeam