Out-of-Bounds Write Vulnerability in rust-openssl Affects OpenSSL Bindings for Rust
CVE-2026-41678

7.2HIGH

Key Information:

Vendor: Rust-OpenSSL
Status: Rust-OpenSSL
Vendor: CVE Published:; 24 April 2026

🔔 Create Rust-OpenSSL Vulnerability Alert

What is CVE-2026-41678?

The rust-openssl project, which provides OpenSSL bindings for the Rust programming language, contains a flaw in the aes::unwrap_key() function up to version 0.10.78. This flaw results from an incorrect assertion that improperly verifies the size of the output buffer. The check should confirm that the output buffer is sufficiently large to accommodate the data being written; however, due to an inverted condition, the function rejects larger buffers. When a smaller buffer is utilized, the function may write beyond its bounds, leading to potential data corruption and security risks. This issue has been addressed in version 0.10.78.

Affected Version(s)

rust-openssl >= 0.10.24, < 0.10.78

References

https://github.com/rust-openssl/rust-openssl/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41678 Data

JSON