Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced.
This only impacts users using AES key-wrap-with-padding ciphers.
AnalysisAI
Heap buffer overflow in rust-openssl's AES key-wrap-with-padding cipher functions allows attackers to write up to 7 bytes past allocated buffer boundaries when processing non-multiple-of-8 plaintext inputs, enabling attacker-controlled heap corruption. Affected versions 0.10.0 through 0.10.78 are vulnerable when CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, or symm::Crypter::update are used with EVP_aes_128/192/256_wrap_pad ciphers.
Technical ContextAI
rust-openssl wraps OpenSSL's EVP cipher interface, exposing AES key-wrap-with-padding ciphers (EVP_aes_128/192/256_wrap_pad) via CipherCtxRef and symm::Crypter APIs. The vulnerability stems from incorrect output buffer allocation logic in these wrapper functions - OpenSSL's key-wrap padding mechanism requires output buffers sized to handle non-standard length requirements, but rust-openssl miscalculates required output size for non-multiple-of-8 inputs. When the underlying OpenSSL EVP_EncryptUpdate writes output, it extends beyond the undersized buffer, causing heap overflow (CWE-122: Heap-based Buffer Overflow). The issue is specific to padded key-wrap ciphers; standard AES modes and unpadded key-wrap are unaffected.
RemediationAI
Upgrade rust-openssl to version 0.10.79 or later immediately. This can typically be done by updating the Cargo.toml dependency to openssl = "0.10.79" or higher and running cargo update. No workarounds exist for versions prior to 0.10.79 if AES key-wrap-with-padding ciphers are in use; affected code paths must be disabled or removed entirely. If upgrading is not immediately feasible, the only mitigation is to refrain from using EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, or EVP_aes_256_wrap_pad ciphers until the patch is applied. Validate that input plaintext length is always a multiple of 8 bytes as a temporary compensating control, though this does not fully eliminate the heap corruption risk if the underlying OpenSSL behavior changes. See vendor advisory at https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726 for additional details.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30482
GHSA-xv59-967r-8726