Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust. This vulnerability is fixed in 0.10.78.
Published: 2026-04-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential stack corruption leading to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs when the rust‑openssl crate’s MdCtxRef::digest_final method writes more bytes to the supplied output buffer than the buffer can hold. If the caller passes a buffer smaller than EVP_MD_CTX_size(ctx), the function overwrites adjacent memory, typically corrupting the stack. This overflow is reachable from safe Rust code, meaning an attacker can trigger it without unsafe operations. The stack corruption can lead to arbitrary code execution, denial of service, or other severe impacts depending on how the corrupted stack is used.

Affected Systems

Applications that depend on the rust‑openssl crate between versions 0.10.39 and before 0.10.78 are affected. Any Rust program that links to these releases and calls EVP_DigestFinal or digest_final with an undersized buffer is vulnerable. The issue was fixed in release 0.10.78 and later versions.

Risk and Exploitability

The CVSS score of 8.1 classifies this issue as high severity, but the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be local or application‑level, as the flaw is reachable through safe Rust code. A malicious actor who controls the data passed to digest_final or the buffer size could exploit the overflow to corrupt memory, which may result in code execution or a crash. No remote exploitation vector is documented in the provided description.

Generated by OpenCVE AI on April 28, 2026 at 05:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the rust‑openssl crate to 0.10.78 or newer and rebuild all dependent projects.
  • Ensure your Cargo.lock or lockfile references the patched version and that no older dependency is pulled in by transitive dependencies.
  • After upgrading, monitor for abnormal crashes or memory corruption that could indicate older versions were still in use.

Generated by OpenCVE AI on April 28, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ghm9-cr32-g9qj rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check
History

Tue, 28 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rust-openssl_project:rust-openssl:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Rust-openssl Project
Rust-openssl Project rust-openssl
Vendors & Products Rust-openssl Project
Rust-openssl Project rust-openssl

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust. This vulnerability is fixed in 0.10.78.
Title rust-openssl: MdCtxRef::digest_final() writes past caller buffer with no length check
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rust-openssl Project Rust-openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T17:42:54.765Z

Reserved: 2026-04-22T03:53:24.406Z

Link: CVE-2026-41681

cve-icon Vulnrichment

Updated: 2026-04-24T17:42:51.659Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:29.717

Modified: 2026-04-28T17:44:16.670

Link: CVE-2026-41681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:45:26Z

Weaknesses