Skip to main content

rust-openssl CVE-2026-45784

MEDIUM
Incorrect Calculation of Buffer Size (CWE-131)
2026-05-19 https://github.com/rust-openssl/rust-openssl GHSA-phqj-4mhp-q6mq
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 20:18 vuln.today
Analysis Generated
May 19, 2026 - 20:18 vuln.today

DescriptionCVE.org

CipherCtxRef::cipher_update_inplace incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced.

This only impacts users using AES key-wrap-with-padding ciphers.

This method was missed in the fix for GHSA-xv59-967r-8726

AnalysisAI

Heap corruption in rust-openssl versions 0.10.50 through 0.10.79 allows attacker-controllable out-of-bounds writes of up to 7 bytes via the CipherCtxRef::cipher_update_inplace method when used with AES key-wrap-with-padding ciphers (EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad). The buffer sizing logic fails to account for AES-KWP's padding expansion when input length is not a multiple of 8, and because this occurs through FFI into native OpenSSL, Rust's memory safety guarantees do not prevent the corruption. This is a missed case from a prior fix for GHSA-xv59-967r-8726 in the same method; no public exploit has been identified at time of analysis.

Technical ContextAI

The rust-openssl crate (pkg:rust/openssl) provides Rust FFI bindings to the native OpenSSL C library. The vulnerable method CipherCtxRef::cipher_update_inplace performs symmetric cipher operations by allocating and reusing a single output buffer. AES key-wrap-with-padding (AES-KWP, RFC 5649) is an asymmetric-expansion cipher: when wrapping, it appends an 8-byte integrity check value (ICV) and pads the plaintext to the next multiple of 8 bytes, meaning output is always larger than input. For a non-multiple-of-8 input, the required output can be up to 7 bytes larger than the allocated buffer. The buffer sizing logic did not correctly account for this expansion, producing a buffer that is undersized by up to 7 bytes. CWE-131 (Incorrect Calculation of Buffer Size) is the precise root cause class: the formula used to compute the required output length was arithmetically incorrect for this cipher mode's expansion semantics. Because the write path goes through unsafe FFI into OpenSSL's C layer, Rust's ownership and bounds-checking guarantees cannot prevent the overwrite.

RemediationAI

Upgrade the rust-openssl crate to version 0.10.80 or later, which contains the corrected buffer sizing logic per the advisory at https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-phqj-4mhp-q6mq. Update Cargo.toml to specify openssl = "0.10.80" or a compatible semver constraint such as ">=0.10.80", then run cargo update to resolve the patched version. The vendor-released patch is version 0.10.80, independently confirmed by GHSA advisory data. If an immediate upgrade is not possible, the primary compensating control is to replace calls to cipher_update_inplace with cipher_update (the non-in-place variant), which is not affected by this bug; note that this trades the performance benefit of in-place operation for additional memory allocation. Alternatively, ensure that all inputs passed to cipher_update_inplace with AES-KWP ciphers are padded to a multiple of 8 bytes before invocation, which prevents the undersized buffer condition, though this requires application-level padding logic and careful validation.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Share

CVE-2026-45784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy