CVE-2026-41677

rust-openssl: Out-of-bounds read in PEM password callback when user callback returns an oversized length

Description

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.

INFO

Published Date :

2026-04-24T17:17:17.849Z

Last Modified :

2026-04-24T18:02:27.756Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-41677 vulnerability.

Vendors	Products
Rust-openssl Project	Rust-openssl

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41677.

URL	Resource
https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability