CVE-2026-41676
Published: 24 April 2026
Summary
CVE-2026-41676 is a critical-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Rust-Openssl Project Rust-Openssl. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation, such as upgrading rust-openssl to version 0.10.78, directly eliminating the buffer overflow vulnerability.
Deploys memory protections like ASLR, DEP, and stack canaries that mitigate exploitation of the heap/stack overflow from EVP_PKEY_derive.
Facilitates identification of vulnerable rust-openssl versions and affected OpenSSL 1.1.x through vulnerability scanning.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in remote key derivation functions enables remote code execution in applications using the library, directly facilitating initial access via exploitation of public-facing applications or remote services.
NVD Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519,…
more
X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL. This vulnerability is fixed in 0.10.78.
Deeper analysisAI
CVE-2026-41676 is a buffer overflow vulnerability in the rust-openssl crate, which provides OpenSSL bindings for the Rust programming language. It affects versions from 0.9.27 up to but not including 0.10.78, specifically in the Deriver::derive and PkeyCtxRef::derive functions. These functions set the length parameter to the provided buffer's length and pass it to OpenSSL's EVP_PKEY_derive. However, with OpenSSL 1.1.x, algorithms such as X25519, X448, DH, and HKDF-extract ignore this incoming key length and write the full shared secret (32 or 56 bytes, or prime size bytes) regardless. This leads to a heap or stack overflow when a caller provides a short buffer slice. OpenSSL 3.x providers properly check the length, limiting the issue to older OpenSSL versions. The vulnerability corresponds to CWE-131 (Incorrect Calculation of Buffer Size) and CWE-787 (Out-of-bounds Write).
Attackers can exploit this remotely with low complexity and no privileges or user interaction required, as indicated by the CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs when an application using the affected rust-openssl versions and OpenSSL 1.1.x invokes the vulnerable derive functions with an undersized buffer. A malicious actor controlling inputs to such an application—such as in a key derivation process during cryptographic operations—can trigger the overflow, potentially leading to arbitrary code execution, data corruption, or denial of service through high-impact confidentiality, integrity, and availability violations.
The rust-openssl security advisory at https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5 details the issue and confirms the fix in version 0.10.78, recommending immediate upgrades for affected users. Practitioners should verify OpenSSL versions in their Rust dependencies and audit code using these derive functions, especially in cryptographic libraries or applications handling key exchanges.
Details
- CWE(s)