rust-openssl Flaws Enable Memory Disclosure and Buffer Overwrite
Two high-severity vulnerabilities were disclosed in rust-openssl, the Rust bindings for OpenSSL, affecting multiple 0.9.x and 0.10.x releases prior to 0.10.78. CVE-2026-41898 affects versions from 0.9.24 up to, but not including, 0.10.78, where several FFI trampoline callback paths passed a closure-returned usize to OpenSSL without validating it against the output buffer size. The flaw can trigger buffer overflows and leak adjacent memory to a network peer, and it is mapped to CWE-126 and CWE-130.
A second issue, CVE-2026-41681, affects versions from 0.10.39 up to, but not including, 0.10.78, in MdCtxRef::digest_final(), which writes EVP_MD_CTX_size(ctx) bytes to the caller buffer without checking whether the buffer is large enough. The resulting out-of-bounds write can cause stack corruption and is reachable from safe Rust, with the weakness classified as CWE-121. Both vulnerabilities were addressed in rust-openssl 0.10.78, with public advisories, code references, and fix details released alongside the CVE records.
Timeline
Apr 24, 2026
CVE-2026-41898 disclosed for rust-openssl callback length handling flaw
CVE-2026-41898 was published for rust-openssl, affecting versions 0.9.24 through before 0.10.78. The issue stems from FFI trampoline callback paths forwarding a closure-returned length to OpenSSL without validating it against the output buffer, potentially leaking adjacent memory or causing overflow-related behavior.
Apr 24, 2026
CVE-2026-41681 disclosed for rust-openssl digest_final buffer overflow
CVE-2026-41681 was published for rust-openssl, affecting versions 0.10.39 through before 0.10.78. The flaw allows MdCtxRef::digest_final() to write past a caller-provided buffer because no length check is performed before EVP_DigestFinal() writes the digest output.
Apr 24, 2026
rust-openssl 0.10.78 fixes two memory-safety flaws
rust-openssl version 0.10.78 was released with fixes for two vulnerabilities: unchecked callback-returned lengths in PSK and cookie trampolines, and a missing output-length check in MdCtxRef::digest_final(). The fixes addressed affected version ranges below 0.10.78 referenced by later advisories.
Apr 19, 2026
rust-openssl 0.10.78 released to fix five CVEs
The rust-openssl project released openssl-v0.10.78 on 2026-04-19 to address five security vulnerabilities disclosed via GitHub Security Advisories. The fixes covered multiple memory-safety issues, including key derivation, PEM password callback handling, AES key unwrap bounds checking, digest finalization, and unchecked callback-returned lengths in PSK and cookie trampolines.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
OpenSSL January Security Update Fixes CMS and PKCS#12 Stack Overflows With RCE Risk
**OpenSSL released a security update on January 27, 2026**, addressing **12 vulnerabilities** across supported branches, including **one High-severity issue with potential remote code execution (RCE)**, one Moderate, and multiple Low-severity flaws. The most serious vulnerability, **CVE-2025-15467 (High)**, is a **pre-authentication stack buffer overflow** in **CMS `AuthEnvelopedData` parsing** when using AEAD ciphers (e.g., **AES-GCM**); a crafted CMS message with an **oversized IV in ASN.1 parameters** can trigger a crash and may enable code execution in applications that parse **untrusted CMS/PKCS#7 content** (notably **S/MIME** workflows). Both sources emphasize that while **DoS is the most likely outcome in many environments**, the presence of a stack write primitive makes the issue operationally significant where untrusted CMS is processed. A second notable issue, **CVE-2025-11187 (Moderate)**, involves a **stack overflow during PKCS#12 MAC verification** (PBMAC1/PBKDF2-related validation), where attacker-controlled parameters (e.g., key length) can lead to crashes and potentially more severe impact when processing **untrusted PKCS#12 files** (e.g., certificate import/export, PKI/CA tooling). Affected versions called out include **OpenSSL 3.x** (with additional low-severity issues spanning older branches such as **1.0.2 and 1.1.1**), and patched releases include **3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19** (with corresponding fixes for older maintained lines). Datadog notes **OpenSSL 3.x FIPS modules are not affected** by the highlighted CMS and PKCS#12 overflow issues, and both sources point to higher risk in services that ingest these formats from external or user-supplied inputs (e.g., S/MIME gateways, certificate management services).
1 months ago
Heap Buffer Overflow Flaws Disclosed in wolfSSL DTLS and Wireshark TLS Parsing
Two high-severity memory-corruption vulnerabilities were disclosed in widely used TLS-related software components. **CVE-2026-5264** affects wolfSSL and stems from DTLS 1.3 ACK message processing, where a remote attacker can send a crafted ACK packet to trigger a heap buffer overflow. The flaw is classified as `CWE-122` and is network-reachable with low attack complexity and no privileges or user interaction required, raising concern for applications that expose DTLS 1.3 services. A separate flaw, **CVE-2026-5402**, was disclosed in Wireshark’s TLS protocol dissector and affects versions `4.6.0` through `4.6.4`. The vulnerability is also a heap-based buffer overflow (`CWE-122`) and could allow denial of service and possible code execution when malicious traffic is processed, with the CVSS vector indicating high impact to confidentiality, integrity, and availability. Public references point to a wolfSSL GitHub pull request for the DTLS issue and to a GitLab issue and official Wireshark security advisory for the dissector flaw.
3 days ago
OpenSSL Security Advisory for CMS and PKCS#12 Buffer Overflows
OpenSSL issued a **corrected security advisory** for its January 2026 update, adding **CVE-2026-22795** and **CVE-2026-22796** to the bulletin. The issues are described as **buffer overflows** affecting OpenSSL’s handling of **CMS** and **PKCS#12**, which can be triggered via crafted cryptographic inputs and may lead to memory corruption and potential exploitation depending on how vulnerable code paths are reached in consuming applications. A technical write-up of the same OpenSSL update highlights the CMS and PKCS#12 parsing risk and reinforces the need for rapid patching across environments that ingest untrusted certificates, signed messages, or PKCS#12 bundles (common in enterprise identity and certificate workflows). Other items in the set are unrelated (Firefox WebRTC RCE, Kubernetes authorization-to-RCE technique, a separate vulnerability-chain case study, operational security guidance, and non-OpenSSL security news) and should not be conflated with the OpenSSL advisory.
1 months ago