{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41681", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-22T03:53:24.406Z", "datePublished": "2026-04-24T17:19:15.187Z", "dateUpdated": "2026-04-24T17:42:54.765Z"}, "containers": {"cna": {"title": "rust-openssl: MdCtxRef::digest_final() writes past caller buffer with no length check", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj"}, {"name": "https://github.com/rust-openssl/rust-openssl/pull/2608", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/pull/2608"}, {"name": "https://github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe"}, {"name": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78"}], "affected": [{"vendor": "rust-openssl", "product": "rust-openssl", "versions": [{"version": ">= 0.10.39, < 0.10.78", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:21:01.454Z"}, "descriptions": [{"lang": "en", "value": "rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust. This vulnerability is fixed in 0.10.78."}], "source": {"advisory": "GHSA-ghm9-cr32-g9qj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T17:42:49.447277Z", "id": "CVE-2026-41681", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T17:42:54.765Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41681", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T17:42:49.447277Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T17:42:51.659Z"}}], "cna": {"title": "rust-openssl: MdCtxRef::digest_final() writes past caller buffer with no length check", "source": {"advisory": "GHSA-ghm9-cr32-g9qj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rust-openssl", "product": "rust-openssl", "versions": [{"status": "affected", "version": ">= 0.10.39, < 0.10.78"}]}], "references": [{"url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj", "name": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rust-openssl/rust-openssl/pull/2608", "name": "https://github.com/rust-openssl/rust-openssl/pull/2608", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe", "name": "https://github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78", "name": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust. This vulnerability is fixed in 0.10.78."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:21:01.454Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41681", "state": "PUBLISHED", "dateUpdated": "2026-04-24T17:42:54.765Z", "dateReserved": "2026-04-22T03:53:24.406Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T17:19:15.187Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rust-openssl_project:rust-openssl:*:*:*:*:*:rust:*:*", "matchCriteriaId": "6027F7A1-EB1E-42B3-834F-7F0B93742F16", "versionEndExcluding": "0.10.78", "versionStartIncluding": "0.10.39", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust. This vulnerability is fixed in 0.10.78."}], "id": "CVE-2026-41681", "lastModified": "2026-04-28T17:44:16.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T18:16:29.717", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/rust-openssl/rust-openssl/pull/2608"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.39,0.10.78)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "rust-openssl", "source": "cna", "vendor": "rust-openssl"}, "product": "rust-openssl", "vendor": "rust-openssl_project"}], "analysis": {"en": {"generated_at": "2026-04-28T05:59:11.204751+00:00", "value": {"mitigation_remediation": ["Upgrade the rust\u2011openssl crate to 0.10.78 or newer and rebuild all dependent projects.", "Ensure your Cargo.lock or lockfile references the patched version and that no older dependency is pulled in by transitive dependencies.", "After upgrading, monitor for abnormal crashes or memory corruption that could indicate older versions were still in use."], "summary": {"action": "Immediate Patch", "impact": "Potential stack corruption leading to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Applications that depend on the rust\u2011openssl crate between versions 0.10.39 and before 0.10.78 are affected. Any Rust program that links to these releases and calls EVP_DigestFinal or digest_final with an undersized buffer is vulnerable. The issue was fixed in release 0.10.78 and later versions.", "description_and_impact": "The vulnerability occurs when the rust\u2011openssl crate\u2019s MdCtxRef::digest_final method writes more bytes to the supplied output buffer than the buffer can hold. If the caller passes a buffer smaller than EVP_MD_CTX_size(ctx), the function overwrites adjacent memory, typically corrupting the stack. This overflow is reachable from safe Rust code, meaning an attacker can trigger it without unsafe operations. The stack corruption can lead to arbitrary code execution, denial of service, or other severe impacts depending on how the corrupted stack is used.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this issue as high severity, but the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be local or application\u2011level, as the flaw is reachable through safe Rust code. A malicious actor who controls the data passed to digest_final or the buffer size could exploit the overflow to corrupt memory, which may result in code execution or a crash. No remote exploitation vector is documented in the provided description."}}}}, "created": "2026-04-28T06:00:09.625488+00:00", "updated": "2026-04-28T08:45:26.956397+00:00", "vendors": ["rust-openssl_project", "rust-openssl_project$PRODUCT$rust-openssl"]}