Description
rssn is a scientific computing library for Rust, combining a high-performance symbolic computation engine with numerical methods support and physics simulations functionalities. The vulnerability exists in the JIT (Just-In-Time) compilation engine, which is fully exposed via the CFFI (Foreign Function Interface). Due to Improper Input Validation and External Control of Code Generation, an attacker can supply malicious parameters or instruction sequences through the CFFI layer. Since the library often operates with elevated privileges or within high-performance computing contexts, this allows for Arbitrary Code Execution (ACE) at the privilege level of the host process.
Published: 2026-03-10
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution at host process privilege level
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper input validation in the JIT compilation engine exposed through the CFFI layer. An attacker employing the library’s foreign function interface can provide crafted instruction sequences that trigger the JIT to generate and execute arbitrary code. This yields complete control over the host process, allowing escalation of privileges or full compromise of the system.

Affected Systems

The affected product is the rssn scientific computing library from Apich‑Organization. No specific product version is listed in the CNA data, but public references indicate a release tag v0.2.9 that may contain the fix. Systems that load rssn via CFFI—especially those running with elevated privileges or in high‑performance computing environments—are potentially impacted.

Risk and Exploitability

The CVSS base score of 9.4 classifies the issue as critical. The EPSS score is less than 1%, indicating a low current exploitation probability, and the vulnerability is not listed in the KEV catalog. Nevertheless, the attack requires only local or foreign code that can call the library, so any environment running rssn and exposing its CFFI interface is at risk if inputs are not tightly controlled.

Generated by OpenCVE AI on April 16, 2026 at 09:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rssn to the latest secure release, such as v0.2.9 or later, to obtain the vendor‑provided fix.
  • Validate all arguments passed to the CFFI interface before invoking JIT compilation, ensuring that only well‑formed, non‑malicious instruction sequences reach the code generator.
  • Limit the privileges of processes that load rssn or execute untrusted code, and consider isolating them in a sandbox or container to contain potential breaches.
  • Review application code to remove or restrict CFFI calls that handle untrusted data, minimizing the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 09:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9c4h-pwmf-m6fj RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface
History

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apich-organization
Apich-organization rssn
Vendors & Products Apich-organization
Apich-organization rssn

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description rssn is a scientific computing library for Rust, combining a high-performance symbolic computation engine with numerical methods support and physics simulations functionalities. The vulnerability exists in the JIT (Just-In-Time) compilation engine, which is fully exposed via the CFFI (Foreign Function Interface). Due to Improper Input Validation and External Control of Code Generation, an attacker can supply malicious parameters or instruction sequences through the CFFI layer. Since the library often operates with elevated privileges or within high-performance computing contexts, this allows for Arbitrary Code Execution (ACE) at the privilege level of the host process.
Title RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface
Weaknesses CWE-269
CWE-695
CWE-754
CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Apich-organization Rssn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:58:17.359Z

Reserved: 2026-03-07T17:34:39.981Z

Link: CVE-2026-30960

cve-icon Vulnrichment

Updated: 2026-03-10T17:58:13.752Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T18:18:55.227

Modified: 2026-03-11T13:53:20.707

Link: CVE-2026-30960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses