Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78.
Published: 2026-04-24
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory leakage and buffer overflow
Action: Apply Patch
AI Analysis

Impact

rust-openssl provides OpenSSL bindings for Rust. The vulnerability exists in versions 0.9.24 through 0.10.77, where the FFI trampolines for PSK callbacks and cookie generation forwarded a length returned by the user closure directly to OpenSSL without validating it against the supplied buffer. This unchecked length can cause buffer overflows or unintentional memory disclosure to a connected peer. The weaknesses are represented by CWE-126 and CWE-130.

Affected Systems

The affected product is the rust-openssl library used in Rust applications, specifically versions 0.9.24 up to 0.10.77 inclusive. The fix was introduced in release 0.10.78.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity, but the EPSS score of less than 1% suggests a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attacks are likely to involve a Rust application that configures user-defined PSK or cookie callbacks; by providing a closure that returns an overly large length, an attacker could corrupt memory or cause OpenSSL to leak sensitive data to the network peer. The exploitation requires control over the application’s callback implementation, so the threat is moderate but warrants prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the rust-openssl crate to version 0.10.78 or later.
  • Update all Cargo.toml dependencies to use the patched version and rebuild the application.
  • If an immediate upgrade is not possible, modify or disable any custom PSK or cookie callbacks, ensuring that the length returned is validated before being passed to OpenSSL.

Generated by OpenCVE AI on April 28, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hppc-g8h3-xhp3 rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer
History

Tue, 28 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rust-openssl_project:rust-openssl:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Rust-openssl Project
Rust-openssl Project rust-openssl
Vendors & Products Rust-openssl Project
Rust-openssl Project rust-openssl

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78.
Title rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines can cause OpenSSL to leak adjacent memory to the network peer
Weaknesses CWE-126
CWE-130
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Rust-openssl Project Rust-openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:01:47.877Z

Reserved: 2026-04-22T15:11:54.672Z

Link: CVE-2026-41898

cve-icon Vulnrichment

Updated: 2026-04-24T18:01:43.767Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:29.860

Modified: 2026-04-28T17:45:23.627

Link: CVE-2026-41898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:45:26Z

Weaknesses