Critical severity9.1NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026

CVE-2026-41677

Description

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
opensslcrates.io	>= 0.9.0, < 0.10.78	0.10.78

Affected products

Rust Openssl Project/Rust Openssl
cpe:2.3:a:rust-openssl_project:rust-openssl:*:*:*:*:*:rust:*:*
Range: >=0.9.0,<0.10.78

Patches

5af6895c9077

Reject oversized length returns from password callback trampoline (#2605)

https://github.com/rust-openssl/rust-opensslAlex GaynorApr 19, 2026via ghsa

commit

2 files changed · +21 −0

openssl/src/ec.rs+20 −0 modified

@@ -1098,6 +1098,7 @@ mod test {
     use super::*;
     use crate::bn::{BigNum, BigNumContext};
     use crate::nid::Nid;
+    use crate::symm::Cipher;
 
     #[test]
     fn key_new_by_curve_name() {
@@ -1110,6 +1111,25 @@ mod test {
         EcKey::generate(&group).unwrap();
     }
 
+    #[test]
+    fn test_password_callback_oversize_return_is_rejected() {
+        // The password callback trampoline must reject a user-returned
+        // length that exceeds the size of the buffer it handed out.
+        // Otherwise some versions of OpenSSL read past the buffer when
+        // deriving the decryption key.
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
+        let key = EcKey::generate(&group).unwrap();
+        let encrypted = key
+            .private_key_to_pem_passphrase(Cipher::aes_128_cbc(), b"correct-pw")
+            .unwrap();
+
+        let result = EcKey::private_key_from_pem_callback(&encrypted, |buf| {
+            buf[..10].copy_from_slice(b"correct-pw");
+            Ok(buf.len() * 10)
+        });
+        assert!(result.is_err());
+    }
+
     #[test]
     fn ec_group_from_components() {
         // parameters are from secp256r1

openssl/src/util.rs+1 −0 modified

@@ -55,6 +55,7 @@ where
     }));
 
     match result {
+        Ok(Ok(len)) if len > size as usize => 0,
         Ok(Ok(len)) => len as c_int,
         Ok(Err(_)) => {
             // FIXME restore error stack

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xmgf-hq76-4vx2ghsaADVISORY
github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-41677ghsaADVISORY
github.com/rust-openssl/rust-openssl/commit/5af6895c907773699f37f583f409b862284062b1ghsaWEB
github.com/rust-openssl/rust-openssl/pull/2605ghsaWEB
github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000