rust-openssl CVE-2026-45784
MEDIUMLifecycle Timeline
2DescriptionCVE.org
CipherCtxRef::cipher_update_inplace incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced.
This only impacts users using AES key-wrap-with-padding ciphers.
This method was missed in the fix for GHSA-xv59-967r-8726
AnalysisAI
Heap corruption in rust-openssl versions 0.10.50 through 0.10.79 allows attacker-controllable out-of-bounds writes of up to 7 bytes via the CipherCtxRef::cipher_update_inplace method when used with AES key-wrap-with-padding ciphers (EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad). The buffer sizing logic fails to account for AES-KWP's padding expansion when input length is not a multiple of 8, and because this occurs through FFI into native OpenSSL, Rust's memory safety guarantees do not prevent the corruption. This is a missed case from a prior fix for GHSA-xv59-967r-8726 in the same method; no public exploit has been identified at time of analysis.
Technical ContextAI
The rust-openssl crate (pkg:rust/openssl) provides Rust FFI bindings to the native OpenSSL C library. The vulnerable method CipherCtxRef::cipher_update_inplace performs symmetric cipher operations by allocating and reusing a single output buffer. AES key-wrap-with-padding (AES-KWP, RFC 5649) is an asymmetric-expansion cipher: when wrapping, it appends an 8-byte integrity check value (ICV) and pads the plaintext to the next multiple of 8 bytes, meaning output is always larger than input. For a non-multiple-of-8 input, the required output can be up to 7 bytes larger than the allocated buffer. The buffer sizing logic did not correctly account for this expansion, producing a buffer that is undersized by up to 7 bytes. CWE-131 (Incorrect Calculation of Buffer Size) is the precise root cause class: the formula used to compute the required output length was arithmetically incorrect for this cipher mode's expansion semantics. Because the write path goes through unsafe FFI into OpenSSL's C layer, Rust's ownership and bounds-checking guarantees cannot prevent the overwrite.
RemediationAI
Upgrade the rust-openssl crate to version 0.10.80 or later, which contains the corrected buffer sizing logic per the advisory at https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-phqj-4mhp-q6mq. Update Cargo.toml to specify openssl = "0.10.80" or a compatible semver constraint such as ">=0.10.80", then run cargo update to resolve the patched version. The vendor-released patch is version 0.10.80, independently confirmed by GHSA advisory data. If an immediate upgrade is not possible, the primary compensating control is to replace calls to cipher_update_inplace with cipher_update (the non-in-place variant), which is not affected by this bug; note that this trades the performance benefit of in-place operation for additional memory allocation. Alternatively, ensure that all inputs passed to cipher_update_inplace with AES-KWP ciphers are padded to a multiple of 8 bytes before invocation, which prevents the undersized buffer condition, though this requires application-level padding logic and careful validation.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-131 – Incorrect Calculation of Buffer Size
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-phqj-4mhp-q6mq