Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3140 articles · 171656 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-41898EXPLOITEDPATCHED
rust-openssl_project · rust-openssl

rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines can cause OpenSSL to leak adjacent memory to the network peer

Description

A vulnerability, which was classified as critical, was found in rust-openssl up to 0.10.77. This vulnerability affects the function set_psk_client_callback/set_psk_server_callback/set_cookie_generate_cb/set_stateless_cookie_generate_cb. Executing a manipulation can lead to buffer over-read. The identification of this vulnerability is CVE-2026-41898. The attack may be launched remotely.

Affected Products

VendorProductVersions
rust-openssl_projectrust-openssl>= 0.9.24, < 0.10.78, 0.10.77

References

  • https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3(x_refsource_CONFIRM)
  • https://github.com/rust-openssl/rust-openssl/pull/2607(x_refsource_MISC)
  • https://github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c(x_refsource_MISC)
  • https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78(x_refsource_MISC)

Related News (3 articles)

Tier A
Microsoft MSRC67d ago
CVE-2026-41898 rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines can cause OpenSSL to leak adjacent memory to the network peer
→ No new info (linked only)
Tier C
oss-security72d ago
rust-openssl-v0.10.78 fixes 5 CVEs
→ No new info (linked only)
Tier C
VulDB72d ago
CVE-2026-41898 | rust-openssl up to 0.10.77 buffer over-read (GHSA-hppc-g8h3-xhp3)
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
0.10.78
CWECWE-126, CWE-130
PublishedApr 24, 2026
Last enriched72d agov3
Tags
securityopensslrust
Trending Score0
Source articles3
Independent3
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (4)

HIGHCVE-2026-41676EXP
rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1
Trending: 83
HIGHCVE-2026-41678EXP
rust-openssl: Incorrect bounds assertion in aes key wrap
LOWCVE-2026-41677EXP
rust-openssl: Out-of-bounds read in PEM password callback when user callback returns an oversized length
HIGHCVE-2026-41681EXP
rust-openssl: MdCtxRef::digest_final() writes past caller buffer with no length check

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Apr 24, 2026
Discovered by ZDM
Apr 24, 2026
Actively Exploited
Apr 24, 2026
Patch Available
Apr 24, 2026
Updated: description, affectedVersions, severity, activelyExploited, patchAvailable
Apr 24, 2026
Updated: tags
Apr 24, 2026

Version History

v3
Last enriched 72d ago
v3Tier C72d ago

Updated patch version to 0.10.78 and added new CVE IDs and relevant tags.

tags
via oss-security
v2Tier C72d ago

Updated vendor and product to rust-openssl, changed severity to CRITICAL, and added affected version 0.10.77.

descriptionaffectedVersionsseverityactivelyExploitedpatchAvailable
via VulDB
v172d ago

Initial creation