Skip to main content

rust-openssl CVE-2026-41676

HIGH
Incorrect Calculation of Buffer Size (CWE-131)
2026-04-22 https://github.com/rust-openssl/rust-openssl GHSA-pqf5-4pqq-29f5
7.2
CVSS 4.0 · Vendor: https://github.com/rust-openssl/rust-openssl
Share

Severity by source

Vendor (https://github.com/rust-openssl/rust-openssl) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/rust-openssl/rust-openssl) · only source for this CVE.

CVSS VectorVendor: https://github.com/rust-openssl/rust-openssl

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Apr 24, 2026 - 18:22 NVD
7.2 (HIGH)
Analysis Generated
Apr 23, 2026 - 06:54 vuln.today
Analysis Generated
Apr 22, 2026 - 21:46 vuln.today
Patch released
Apr 22, 2026 - 21:46 nvd
Patch available
CVE Published
Apr 22, 2026 - 21:22 nvd
HIGH 7.2

DescriptionCVE.org

Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL.

AnalysisAI

Memory corruption in rust-openssl's key derivation functions allows heap or stack buffer overflow when applications pass undersized buffers to Deriver::derive or PkeyCtxRef::derive on OpenSSL 1.1.x. The vulnerability affects X25519, X448, DH, and HKDF-extract operations where OpenSSL ignores the caller-specified buffer length and unconditionally writes the full shared secret, causing safe Rust code to trigger memory corruption. Vendor patch available in v0.10.78; OpenSSL 3.x deployments are not affected as newer providers correctly validate buffer lengths.

Technical ContextAI

The rust-openssl crate provides Rust bindings to OpenSSL cryptographic primitives. The Deriver::derive and PkeyCtxRef::derive methods wrap OpenSSL's EVP_PKEY_derive API for key agreement and key derivation operations. The vulnerability stems from behavioral differences between OpenSSL 1.1.x and 3.x in EVP_PKEY_derive implementations. OpenSSL 1.1.x implementations for X25519 (32-byte output), X448 (56-byte output), Diffie-Hellman (prime-size output), and HKDF-extract operations ignore the incoming keylen parameter that specifies buffer capacity, instead unconditionally writing the full derived key material. The rust-openssl binding sets this parameter to buf.len() but does not enforce minimum buffer sizes, creating a CWE-131 (Incorrect Calculation of Buffer Size) condition. When application code allocates a buffer smaller than the algorithm's native output size, OpenSSL writes past the buffer boundary, corrupting adjacent heap or stack memory from within safe Rust code that should be memory-safe by language guarantees. OpenSSL 3.x corrected this by having provider implementations validate keylen before writing, eliminating the overflow risk for deployments using modern OpenSSL versions.

RemediationAI

Upgrade rust-openssl to version 0.10.78 or later, released at https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78, which adds buffer size validation before calling EVP_PKEY_derive (fixed in commit 09b425e5f59a2466d806e71a83a9a449c914c596 via PR https://github.com/rust-openssl/rust-openssl/pull/2606). The patch enforces minimum buffer sizes matching algorithm output lengths, preventing OpenSSL from writing beyond allocated boundaries. If immediate upgrade is not feasible, migrate to OpenSSL 3.x libraries which inherently validate buffer lengths in provider implementations, eliminating the overflow condition without code changes. As a temporary workaround, audit all invocations of Deriver::derive and PkeyCtxRef::derive to ensure allocated buffers match or exceed algorithm-specific output sizes: 32 bytes for X25519, 56 bytes for X448, prime size for DH, and expected output length for HKDF-extract. This workaround requires careful code review and offers no programmatic enforcement, making it error-prone for ongoing development. Note that switching to OpenSSL 3.x may introduce compatibility considerations for applications relying on deprecated algorithms or legacy provider behavior.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Share

CVE-2026-41676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy