CVE-2026-44662
Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.0 to before 0.10.79, CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced. This only impacts users using AES key-wrap-with-padding ciphers. This vulnerability is fixed in 0.10.79.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opensslcrates.io | >= 0.10.0, < 0.10.79 | 0.10.79 |
Affected products
13- Range: >= 0.10.0, < 0.10.79
- osv-coords12 versionspkg:apk/chainguard/guestproxyagentpkg:apk/chainguard/sccachepkg:apk/chainguard/sdp-identity-servicepkg:apk/chainguard/sdp-k8s-injectorpkg:apk/chainguard/sqlxpkg:apk/chainguard/typstpkg:apk/chainguard/vectorpkg:apk/wolfi/sccachepkg:apk/wolfi/sdp-identity-servicepkg:apk/wolfi/sdp-k8s-injectorpkg:apk/wolfi/sqlxpkg:apk/wolfi/vector
< 1.0.44-r0+ 11 more
- (no CPE)range: < 1.0.44-r0
- (no CPE)range: < 0.15.0-r2
- (no CPE)range: < 1.3.10-r7
- (no CPE)range: < 1.3.10-r7
- (no CPE)range: < 0.8.6-r7
- (no CPE)range: < 0.14.2-r8
- (no CPE)range: < 0.55.0-r4
- (no CPE)range: < 0.15.0-r2
- (no CPE)range: < 1.3.10-r7
- (no CPE)range: < 1.3.10-r7
- (no CPE)range: < 0.8.6-r7
- (no CPE)range: < 0.55.0-r4
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.