rust-openssl CVE-2026-41676
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/rust-openssl/rust-openssl) · only source for this CVE.
CVSS VectorVendor: https://github.com/rust-openssl/rust-openssl
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL.
AnalysisAI
Memory corruption in rust-openssl's key derivation functions allows heap or stack buffer overflow when applications pass undersized buffers to Deriver::derive or PkeyCtxRef::derive on OpenSSL 1.1.x. The vulnerability affects X25519, X448, DH, and HKDF-extract operations where OpenSSL ignores the caller-specified buffer length and unconditionally writes the full shared secret, causing safe Rust code to trigger memory corruption. Vendor patch available in v0.10.78; OpenSSL 3.x deployments are not affected as newer providers correctly validate buffer lengths.
Technical ContextAI
The rust-openssl crate provides Rust bindings to OpenSSL cryptographic primitives. The Deriver::derive and PkeyCtxRef::derive methods wrap OpenSSL's EVP_PKEY_derive API for key agreement and key derivation operations. The vulnerability stems from behavioral differences between OpenSSL 1.1.x and 3.x in EVP_PKEY_derive implementations. OpenSSL 1.1.x implementations for X25519 (32-byte output), X448 (56-byte output), Diffie-Hellman (prime-size output), and HKDF-extract operations ignore the incoming keylen parameter that specifies buffer capacity, instead unconditionally writing the full derived key material. The rust-openssl binding sets this parameter to buf.len() but does not enforce minimum buffer sizes, creating a CWE-131 (Incorrect Calculation of Buffer Size) condition. When application code allocates a buffer smaller than the algorithm's native output size, OpenSSL writes past the buffer boundary, corrupting adjacent heap or stack memory from within safe Rust code that should be memory-safe by language guarantees. OpenSSL 3.x corrected this by having provider implementations validate keylen before writing, eliminating the overflow risk for deployments using modern OpenSSL versions.
RemediationAI
Upgrade rust-openssl to version 0.10.78 or later, released at https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78, which adds buffer size validation before calling EVP_PKEY_derive (fixed in commit 09b425e5f59a2466d806e71a83a9a449c914c596 via PR https://github.com/rust-openssl/rust-openssl/pull/2606). The patch enforces minimum buffer sizes matching algorithm output lengths, preventing OpenSSL from writing beyond allocated boundaries. If immediate upgrade is not feasible, migrate to OpenSSL 3.x libraries which inherently validate buffer lengths in provider implementations, eliminating the overflow condition without code changes. As a temporary workaround, audit all invocations of Deriver::derive and PkeyCtxRef::derive to ensure allocated buffers match or exceed algorithm-specific output sizes: 32 bytes for X25519, 56 bytes for X448, prime size for DH, and expected output length for HKDF-extract. This workaround requires careful code review and offers no programmatic enforcement, making it error-prone for ongoing development. Note that switching to OpenSSL 3.x may introduce compatibility considerations for applications relying on deprecated algorithms or legacy provider behavior.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-131 – Incorrect Calculation of Buffer Size
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pqf5-4pqq-29f5