Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3141 articles · 171662 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-41681EXPLOITEDPATCHED
rust-openssl_project · rust-openssl

rust-openssl: MdCtxRef::digest_final() writes past caller buffer with no length check

Description

A vulnerability, which was classified as critical, has been found in rust-openssl up to 0.10.77. This affects the function EVP_DigestFinal. Performing a manipulation results in stack-based buffer overflow. This vulnerability was named CVE-2026-41681. The attack may be initiated remotely.

Affected Products

VendorProductVersions
rust-openssl_projectrust-opensslrust/openssl: >= 0.10.39, < 0.10.78

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
oracleoracle linuxcert_advisory90%

References

  • https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj(x_refsource_CONFIRM)
  • https://github.com/rust-openssl/rust-openssl/pull/2608(x_refsource_MISC)
  • https://github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe(x_refsource_MISC)
  • https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78(x_refsource_MISC)

Related News (3 articles)

Tier B
BSI Advisories44d ago
[NEU] [hoch] Oracle Linux: Mehrere Schwachstellen
→ No new info (linked only)
Tier A
Microsoft MSRC70d ago
CVE-2026-41681 rust-openssl: MdCtxRef::digest_final() writes past caller buffer with no length check
→ No new info (linked only)
Tier C
VulDB72d ago
CVE-2026-41681 | rust-openssl up to 0.10.77 EVP_DigestFinal stack-based overflow (GHSA-ghm9-cr32-g9qj)
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
openssl@0.10.78
CWECWE-121
PublishedApr 22, 2026
Last enriched72d agov2
Tags
GHSA-ghm9-cr32-g9qjrust
Trending Score0
Source articles3
Independent3
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (4)

HIGHCVE-2026-41676EXP
rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1
Trending: 83
HIGHCVE-2026-41678EXP
rust-openssl: Incorrect bounds assertion in aes key wrap
CRITICALCVE-2026-41898EXP
rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines can cause OpenSSL to leak adjacent memory to the network peer
LOWCVE-2026-41677EXP
rust-openssl: Out-of-bounds read in PEM password callback when user callback returns an oversized length

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Apr 22, 2026
Discovered by ZDM
Apr 22, 2026
Actively Exploited
Apr 24, 2026
Patch Available
Apr 24, 2026
Updated: description, severity, activelyExploited
Apr 24, 2026

Version History

v2
Last enriched 72d ago
v2Tier C72d ago

Updated severity to CRITICAL, added CVE-2026-41681, and noted that there is no available exploit.

descriptionseverityactivelyExploited
via VulDB
v174d ago

Initial creation