CVE-2026-41677

LOW SEVERITY

CVSS Score & Metrics

Base Score

9.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H                                    

Vulnerability Description

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.

Vulnerability Details

Published Date

April 22, 2026

Last Modified

April 28, 2026

CWE ID

CWE-125

Source

GitHub

Vendor

rust

Product

openssl

External References

https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2
https://github.com/rust-openssl/rust-openssl/pull/2605
https://github.com/rust-openssl/rust-openssl/commit/5af6895c907773699f37f583f409b862284062b1
https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78
https://github.com/advisories/GHSA-xmgf-hq76-4vx2

CVE-2026-41677

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment