Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-41681

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust. This vulnerability is fixed in 0.10.78.

View on NVD

Analysis

The rust-openssl crate (versions 0.10.39 to 0.10.77) contains a stack-based buffer overflow in its digest finalization logic. This vulnerability allows memory corruption even when using safe Rust code, potentially enabling remote code execution in applications processing untrusted input. Update to version 0.10.78 immediately.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-121

EPSS

Probability of exploitation (next 30 days): 0.0006 (0.1%)
Percentile: 17.4%
EPSS: 2026-05-06

Affects

rust-openssl_project:rust-openssl

Technical description

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust. This vulnerability is fixed in 0.10.78.

Published: 4/24/2026, 6:16:29 PM
Last modified: 4/28/2026, 5:44:16 PM

References

HomeEventsBlogResourcesTeam