rust-openssl: Out-of-bounds read in PEM password callback when user callback returns an oversized length

Description

A vulnerability classified as critical has been found in rust-openssl up to 0.10.77. Affected by this vulnerability is the function _from_pem_callback of the component API. This manipulation causes out-of-bounds read. This vulnerability is handled as CVE-2026-41677. The attack can be initiated remotely.

Affected Products

Vendor	Product	Versions
rust-openssl	rust-openssl	>= 0.9.0, < 0.10.78

References

https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2(x_refsource_CONFIRM)

Related News (2 articles)

Tier A

Microsoft MSRC5h ago

CVE-2026-41677 rust-openssl: Out-of-bounds read in PEM password callback when user callback returns an oversized length

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-41677 | rust-openssl up to 0.10.77 API _from_pem_callback out-of-bounds (GHSA-xmgf-hq76-4vx2)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

openssl@0.10.78

CWECWE-125, CWE-1284

PublishedApr 22, 2026

Last enriched1d agov2

Community Vote

Version History

Last enriched 1d ago

v2Tier C1d ago

Updated severity to CRITICAL, marked as actively exploited, and provided a more detailed description of the vulnerability.

descriptionseverityactivelyExploited

via VulDB

v13d ago

Initial creation

rust-openssl: Out-of-bounds read in PEM password callback when user callback returns an oversized length

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (4)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History