Buffer Over-read Vulnerability in rust-openssl by Rust
CVE-2026-41677

1.7LOW

Key Information:

Vendor: Rust-OpenSSL
Status: Rust-OpenSSL
Vendor: CVE Published:; 24 April 2026

🔔 Create Rust-OpenSSL Vulnerability Alert

What is CVE-2026-41677?

A security flaw exists in the rust-openssl library, specifically affecting versions from 0.9.0 up to, but not including, 0.10.78. The issue arises from the *_from_pem_callback APIs, which fail to properly validate the length returned by a user's callback function. This negligence can lead to scenarios where the password callback returns a value that exceeds the allocated buffer size, resulting in potential over-read vulnerabilities. It is important to note that OpenSSL 3.x is immune to this vulnerability. The issue has been addressed in the updated version 0.10.78.

Affected Version(s)

rust-openssl >= 0.9.0, < 0.10.78

References

https://github.com/rust-openssl/rust-openssl/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

1.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41677 Data

JSON