CVE-2026-41681
Published: 24 April 2026
Summary
CVE-2026-41681 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Rust-Openssl Project Rust-Openssl. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws like the buffer overflow in vulnerable rust-openssl versions affected by CVE-2026-41681.
Requires vulnerability scanning to detect the presence of CVE-2026-41681 in rust-openssl crate dependencies across system components.
Deploys memory protections that mitigate exploitation of the stack-based buffer overflow in CVE-2026-41681, such as stack canaries or non-executable memory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote network-exploitable stack buffer overflow in a Rust library allowing unauthenticated arbitrary code execution with no user interaction, directly enabling T1190 Exploit Public-Facing Application for initial access.
NVD Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable…
more
from safe Rust. This vulnerability is fixed in 0.10.78.
Deeper analysisAI
CVE-2026-41681 is a stack-based buffer overflow vulnerability (CWE-121) in the rust-openssl crate, which provides OpenSSL bindings for the Rust programming language. Affecting versions from 0.10.39 up to but not including 0.10.78, the issue stems from the EVP_DigestFinal() function always writing EVP_MD_CTX_size(ctx) bytes to the output buffer without verifying its size. Consequently, the MdCtxRef::digest_final() method can write past the end of a smaller output buffer, typically corrupting the stack. This flaw is exploitable directly from safe Rust code.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation leads to high-impact confidentiality, integrity, and availability violations, enabling arbitrary code execution, data disclosure, or denial of service through stack corruption in affected Rust applications using vulnerable rust-openssl versions.
The vulnerability is addressed in rust-openssl version 0.10.78, where the fix prevents buffer overruns by properly handling output buffer sizes. Security practitioners should upgrade to this version or later, as detailed in the project's security advisory (GHSA-ghm9-cr32-g9qj), the fixing commit (826c3888b77add418b394770e2b2e3a72d9f92fe), pull request 2608, and the release announcement. Auditing dependencies for vulnerable ranges and testing for safe Rust compatibility is recommended.
Details
- CWE(s)