CVE-2026-41678
Published: 24 April 2026
Summary
CVE-2026-41678 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Rust-Openssl Project Rust-Openssl. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the out-of-bounds write flaw in rust-openssl's aes::unwrap_key by upgrading to the fixed version 0.10.78.
Mandates vulnerability scanning to identify systems and dependencies using vulnerable rust-openssl versions affected by this CVE.
Provides memory protection mechanisms like ASLR and DEP to mitigate exploitation of the memory corruption from the out-of-bounds write even if unpatched.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation via crafted inputs to trigger OOB write and RCE in applications using the vulnerable function directly enables T1190.
NVD Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8,…
more
ensuring the output buffer is large enough. Because of the inverted check, the function only accepts buffers at or below the minimum required size and rejects larger ones. If a smaller buffer is provided the function will write past the end of out by in_.len() - 8 - out.len() bytes, causing an out-of-bounds write from a safe public function. This vulnerability is fixed in 0.10.78.
Deeper analysisAI
CVE-2026-41678 is a vulnerability in the rust-openssl crate, which provides OpenSSL bindings for the Rust programming language. Affected versions range from 0.10.0 to before 0.10.78. The issue resides in the aes::unwrap_key() function, which contains an incorrect assertion checking that out.len() + 8 <= in_.len(); this condition is reversed from the intended invariant of out.len() >= in_.len() - 8, meant to ensure the output buffer is sufficiently large. As a result, the function accepts only buffers at or below the minimum required size, rejecting larger ones, and performs an out-of-bounds write when a smaller buffer is provided, overwriting memory by in_.len() - 8 - out.len() bytes. This flaw, classified as CWE-787 (Out-of-bounds Write), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability remotely without privileges or user interaction by supplying crafted inputs to applications or code that invoke the vulnerable aes::unwrap_key() function. Although the function is marked as safe and public, the buffer size mishandling enables arbitrary memory corruption via the out-of-bounds write, potentially leading to high-impact confidentiality, integrity, and availability violations, such as code execution, data tampering, or denial of service, depending on the context and memory layout.
The GitHub Security Advisory (GHSA-8c75-8mhr-p7r9) for rust-openssl confirms the vulnerability and states that it is fixed in version 0.10.78, recommending that users upgrade to this or later versions to mitigate the issue.
Details
- CWE(s)