CVE-2026-41677
Published: 24 April 2026
Summary
CVE-2026-41677 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Rust-Openssl Project Rust-Openssl. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of known flaws like the buffer over-read in vulnerable rust-openssl versions by updating to 0.10.78.
Provides memory protection mechanisms such as address space layout randomization and data execution prevention to mitigate exploitation of out-of-bounds reads.
Enforces validation of input quantities like callback-returned lengths to prevent out-of-bounds buffer access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of applications using vulnerable rust-openssl enables initial access via public-facing app exploitation (T1190) and endpoint DoS through application exploitation causing crashes/resource exhaustion (T1499.004).
NVD Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was…
more
given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.
Deeper analysisAI
CVE-2026-41677 affects the rust-openssl crate, which provides OpenSSL bindings for the Rust programming language. In versions from 0.9.0 up to but not including 0.10.78, the APIs such as *_from_pem_callback fail to validate the length value returned by a user's callback function. If the callback returns a length exceeding the provided buffer size, it can trigger an over-read of that buffer in certain versions of OpenSSL. OpenSSL 3.x versions are explicitly not affected. The issue is classified under CWE-125 (Out-of-bounds Read) and CWE-1284 (Improper Validation of Specified Quantity in Input), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
Remote attackers can exploit this vulnerability without privileges or user interaction over a network connection with low complexity. By supplying a malicious password callback that reports an oversized length, they can induce OpenSSL to read beyond the buffer boundaries, potentially disclosing sensitive memory contents and causing denial-of-service conditions through crashes or resource exhaustion.
The rust-openssl security advisory at https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2 confirms the vulnerability and states that it is fixed in version 0.10.78. Security practitioners should update to this version or later to mitigate the issue, particularly in Rust applications using affected rust-openssl versions alongside vulnerable OpenSSL builds.
Details
- CWE(s)