CVE-2026-41678
Published: 24 April 2026
Summary
CVE-2026-41678 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Rust-Openssl Project Rust-Openssl. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-41678 is a vulnerability in the rust-openssl crate, which provides OpenSSL bindings for the Rust programming language. Affected versions range from 0.10.0 to before 0.10.78. The issue resides in the aes::unwrap_key() function, which contains an incorrect assertion checking that out.len() + 8 <= in_.len(); this condition is reversed from the intended invariant of out.len() >= in_.len() - 8, meant to ensure the output buffer is sufficiently large. As a result, the function accepts only buffers at or below the minimum required size, rejecting larger ones, and performs an out-of-bounds write when a smaller buffer is provided, overwriting memory by in_.len() - 8 - out.len() bytes. This flaw, classified as CWE-787 (Out-of-bounds Write), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability remotely without privileges or user interaction by supplying crafted inputs to applications or code that invoke the vulnerable aes::unwrap_key() function. Although the function is marked as safe and public, the buffer size mishandling enables arbitrary memory corruption via the out-of-bounds write, potentially leading to high-impact confidentiality, integrity, and availability violations, such as code execution, data tampering, or denial of service, depending on the context and memory layout.
The GitHub Security Advisory (GHSA-8c75-8mhr-p7r9) for rust-openssl confirms the vulnerability and states that it is fixed in version 0.10.78, recommending that users upgrade to this or later versions to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25584
Vulnerability details
rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8,…
more
ensuring the output buffer is large enough. Because of the inverted check, the function only accepts buffers at or below the minimum required size and rejects larger ones. If a smaller buffer is provided the function will write past the end of out by in_.len() - 8 - out.len() bytes, causing an out-of-bounds write from a safe public function. This vulnerability is fixed in 0.10.78.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation via crafted inputs to trigger OOB write and RCE in applications using the vulnerable function directly enables T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the out-of-bounds write flaw in rust-openssl's aes::unwrap_key by upgrading to the fixed version 0.10.78.
Mandates vulnerability scanning to identify systems and dependencies using vulnerable rust-openssl versions affected by this CVE.
Provides memory protection mechanisms like ASLR and DEP to mitigate exploitation of the memory corruption from the out-of-bounds write even if unpatched.