Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.
Published: 2026-04-24
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds read can expose sensitive data
Action: Assess Impact
AI Analysis

Impact

rust‑openssl versions from 0.9.0 through 0.10.77 contain a flaw in the *_from_pem_callback APIs, where the callback length is not validated. When a user callback returns a value larger than the buffer provided, certain OpenSSL releases may over‑read this buffer, resulting in an out‑of‑bounds read. This can lead to the exposure of memory contents but does not directly enable code execution or modify data. The weakness is a classic out‑of‑bounds read (CWE‑125) and insufficient input validation (CWE‑1284).

Affected Systems

Vendors: rust‑openssl. Affected product: rust‑openssl Rust library. Versions impacted are 0.9.0 up to, but not including, 0.10.78. OpenSSL 3.x does not exhibit the over‑read, so the issue is confined to systems linking against OpenSSL 1.x or 3.x when the older rust‑openssl bindings are used.

Risk and Exploitability

The CVSS score of 1.7 indicates a low severity. The EPSS score of < 1% reflects a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an application that processes a PEM file with a custom password callback; a malicious callback that returns an oversized length can trigger the over‑read. Because the effect is limited to memory disclosure, the practical impact is constrained to the process in which the library is executed. No remote exploitation is seen from the description, and no additional conditions are required beyond normal library usage.

Generated by OpenCVE AI on April 28, 2026 at 05:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rust‑openssl to version 0.10.78 or later.
  • Ensure the underlying OpenSSL library is 3.x or is not affected by the over‑read issue.
  • If custom PEM password callbacks are used, validate the returned length before proceeding.

Generated by OpenCVE AI on April 28, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xmgf-hq76-4vx2 rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length
History

Tue, 28 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rust-openssl_project:rust-openssl:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Rust-openssl Project
Rust-openssl Project rust-openssl
Vendors & Products Rust-openssl Project
Rust-openssl Project rust-openssl

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.
Title rust-openssl: Out-of-bounds read in PEM password callback when user callback returns an oversized length
Weaknesses CWE-125
CWE-1284
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rust-openssl Project Rust-openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:02:27.756Z

Reserved: 2026-04-22T03:53:24.406Z

Link: CVE-2026-41677

cve-icon Vulnrichment

Updated: 2026-04-24T18:02:24.370Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:29.270

Modified: 2026-04-28T17:34:03.913

Link: CVE-2026-41677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:45:26Z

Weaknesses