Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8Blast Radius
ecosystem impact- 368 cargo packages depend on openssl (77 direct, 291 indirect)
Ecosystem-wide dependent count for version 0.9.24.
DescriptionCVE.org
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78.
AnalysisAI
Buffer overflow in rust-openssl 0.9.24 through 0.10.77 allows remote unauthenticated attackers to trigger memory corruption via crafted PSK (Pre-Shared Key) or cookie callback responses. The FFI trampolines in SslContextBuilder fail to validate closure-returned buffer sizes against allocated memory regions before passing values to OpenSSL, enabling out-of-bounds writes. Patch released in version 0.10.78. SSVC framework indicates no active exploitation detected, non-automatable attack requiring precise timing conditions (CVSS AT:P), with partial technical impact limited to confidentiality breach and minor availability disruption.
Technical ContextAI
rust-openssl is a Rust language binding library providing safe FFI (Foreign Function Interface) wrappers around OpenSSL cryptographic functions. The vulnerability resides in four callback registration methods within SslContextBuilder: set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb. These methods create FFI trampolines that bridge Rust closures to C-compatible OpenSSL callbacks. The root cause (CWE-126: Buffer Over-read) occurs when the trampoline forwards the usize return value from user-provided closures directly to OpenSSL without bounds-checking it against the mutable byte slice (&mut [u8]) passed to the closure. This violates Rust's memory safety guarantees at the FFI boundary, allowing the closure to specify arbitrary buffer lengths that exceed allocated memory regions, resulting in buffer overflows when OpenSSL attempts to read or write beyond valid boundaries. The affected CPE (cpe:2.3:a:rust-openssl:rust-openssl) spans versions 0.9.24 through 0.10.77, covering approximately two years of releases.
RemediationAI
Upgrade rust-openssl to version 0.10.78 or later, released with fix commit 1d109020d98fff2fb2e45c39a373af3dff99b24c (see https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78 and PR https://github.com/rust-openssl/rust-openssl/pull/2607). Update Cargo.toml dependency to openssl = "0.10.78" and run cargo update. For applications unable to upgrade immediately, implement compensating controls by auditing all SslContextBuilder callback closures to ensure returned usize values never exceed the length of the provided &mut [u8] slice, adding explicit bounds checks like return callback_data.len().min(buffer.len()) before returning buffer sizes. Alternative mitigation: disable PSK cipher suites in TLS configuration if not required for business logic, forcing certificate-based authentication only, though this may break compatibility with embedded/IoT devices expecting PSK. Note that disabling callbacks entirely eliminates attack surface but removes PSK and stateless DTLS functionality. Test callback logic thoroughly after applying workarounds, as overly restrictive bounds checking may cause TLS handshake failures.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-126 – Buffer Over-read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25587
GHSA-hppc-g8h3-xhp3