rust-openssl, a Rust binding for OpenSSL, returned OCSP responder URLs as &str by wrapping raw bytes with str::from_utf8_unchecked when parsing the certificate's AIA extension. Because OpenSSL does not enforce that the IA5String is ASCII, a certificate containing non‑UTF‑8 bytes in its OCSP accessLocation can trigger construction of a &str that violates the UTF‑8 invariant, resulting in undefined behavior. If exploited, this could corrupt memory, cause a crash, or potentially allow an attacker to execute arbitrary code within the process that uses the vulnerable library.

The vulnerability affects the rust‑openssl crate versions 0.9.7 up to and including 0.10.78. Systems that compile or link against any of these versions—particularly applications that handle X509 certificates with OCSP URLs—are impacted. The fix is included in version 0.10.79 and later.

The CVSS score is 8.7, indicating a high severity that would be classed as "Critical" in many contexts. The EPSS score is not available, but the lack of a KEV listing does not preclude exploitation, especially in environments that use untrusted certificates. Based on the description, the likely attack vector is a local or remote delivery of a crafted certificate with non‑UTF‑8 OCSP URLs to a vulnerable application that processes X509 certificates via rust‑openssl. The undefined behavior induced by the unchecked conversion could be leveraged to cause a crash or, in a sophisticated scenario, to manipulate program control flow and achieve code execution. The vulnerability is already fixed in a later library version, so the primary vector is unpatched usage.