Cyber Resilience

CVE-2026-41678

High

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 21.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41678 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Rust-Openssl Project Rust-Openssl. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41678 is a vulnerability in the rust-openssl crate, which provides OpenSSL bindings for the Rust programming language. Affected versions range from 0.10.0 to before 0.10.78. The issue resides in the aes::unwrap_key() function, which contains an incorrect assertion checking that out.len() + 8 <= in_.len(); this condition is reversed from the intended invariant of out.len() >= in_.len() - 8, meant to ensure the output buffer is sufficiently large. As a result, the function accepts only buffers at or below the minimum required size, rejecting larger ones, and performs an out-of-bounds write when a smaller buffer is provided, overwriting memory by in_.len() - 8 - out.len() bytes. This flaw, classified as CWE-787 (Out-of-bounds Write), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker can exploit this vulnerability remotely without privileges or user interaction by supplying crafted inputs to applications or code that invoke the vulnerable aes::unwrap_key() function. Although the function is marked as safe and public, the buffer size mishandling enables arbitrary memory corruption via the out-of-bounds write, potentially leading to high-impact confidentiality, integrity, and availability violations, such as code execution, data tampering, or denial of service, depending on the context and memory layout.

The GitHub Security Advisory (GHSA-8c75-8mhr-p7r9) for rust-openssl confirms the vulnerability and states that it is fixed in version 0.10.78, recommending that users upgrade to this or later versions to mitigate the issue.

EU & UK References

Vulnerability details

rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8,…

more

ensuring the output buffer is large enough. Because of the inverted check, the function only accepts buffers at or below the minimum required size and rejects larger ones. If a smaller buffer is provided the function will write past the end of out by in_.len() - 8 - out.len() bytes, causing an out-of-bounds write from a safe public function. This vulnerability is fixed in 0.10.78.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated exploitation via crafted inputs to trigger OOB write and RCE in applications using the vulnerable function directly enables T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41681Same product: Rust-Openssl Project Rust-Openssl
CVE-2026-41898Same product: Rust-Openssl Project Rust-Openssl
CVE-2026-41676Same product: Rust-Openssl Project Rust-Openssl
CVE-2026-41677Same product: Rust-Openssl Project Rust-Openssl
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787

Affected Assets

rust-openssl project
rust-openssl
0.10.24 — 0.10.78

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly requires timely remediation of the out-of-bounds write flaw in rust-openssl's aes::unwrap_key by upgrading to the fixed version 0.10.78.

detect

Mandates vulnerability scanning to identify systems and dependencies using vulnerable rust-openssl versions affected by this CVE.

prevent

Provides memory protection mechanisms like ASLR and DEP to mitigate exploitation of the memory corruption from the out-of-bounds write even if unpatched.

References