{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41898", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-22T15:11:54.672Z", "datePublished": "2026-04-24T17:20:38.073Z", "dateUpdated": "2026-04-24T18:01:47.877Z"}, "containers": {"cna": {"title": "rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines can cause OpenSSL to leak adjacent memory to the network peer", "problemTypes": [{"descriptions": [{"cweId": "CWE-126", "lang": "en", "description": "CWE-126: Buffer Over-read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-130", "lang": "en", "description": "CWE-130: Improper Handling of Length Parameter Inconsistency", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3"}, {"name": "https://github.com/rust-openssl/rust-openssl/pull/2607", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/pull/2607"}, {"name": "https://github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c"}, {"name": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78"}], "affected": [{"vendor": "rust-openssl", "product": "rust-openssl", "versions": [{"version": ">= 0.9.24, < 0.10.78", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:20:38.073Z"}, "descriptions": [{"lang": "en", "value": "rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78."}], "source": {"advisory": "GHSA-hppc-g8h3-xhp3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T18:01:38.714785Z", "id": "CVE-2026-41898", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:01:47.877Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41898", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-22T15:11:54.672Z", "datePublished": "2026-04-24T17:20:38.073Z", "dateUpdated": "2026-04-24T18:01:47.877Z"}, "containers": {"cna": {"title": "rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines can cause OpenSSL to leak adjacent memory to the network peer", "problemTypes": [{"descriptions": [{"cweId": "CWE-126", "lang": "en", "description": "CWE-126: Buffer Over-read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-130", "lang": "en", "description": "CWE-130: Improper Handling of Length Parameter Inconsistency", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3"}, {"name": "https://github.com/rust-openssl/rust-openssl/pull/2607", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/pull/2607"}, {"name": "https://github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c"}, {"name": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78"}], "affected": [{"vendor": "rust-openssl", "product": "rust-openssl", "versions": [{"version": ">= 0.9.24, < 0.10.78", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:20:38.073Z"}, "descriptions": [{"lang": "en", "value": "rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78."}], "source": {"advisory": "GHSA-hppc-g8h3-xhp3", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41898", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T18:01:38.714785Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:01:43.767Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rust-openssl_project:rust-openssl:*:*:*:*:*:rust:*:*", "matchCriteriaId": "48B33EB8-16FE-4AD9-BB49-7000B56BC885", "versionEndExcluding": "0.10.78", "versionStartIncluding": "0.9.24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78."}], "id": "CVE-2026-41898", "lastModified": "2026-04-28T17:45:23.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T18:16:29.860", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/rust-openssl/rust-openssl/pull/2607"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-126"}, {"lang": "en", "value": "CWE-130"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.9.24,0.10.78)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "rust-openssl", "source": "cna", "vendor": "rust-openssl"}, "product": "rust-openssl", "vendor": "rust-openssl_project"}], "analysis": {"en": {"generated_at": "2026-04-28T05:58:55.854404+00:00", "value": {"mitigation_remediation": ["Upgrade the rust-openssl crate to version 0.10.78 or later.", "Update all Cargo.toml dependencies to use the patched version and rebuild the application.", "If an immediate upgrade is not possible, modify or disable any custom PSK or cookie callbacks, ensuring that the length returned is validated before being passed to OpenSSL."], "summary": {"action": "Apply Patch", "impact": "Memory leakage and buffer overflow"}, "threat_synthesis": {"affected_systems": "The affected product is the rust-openssl library used in Rust applications, specifically versions 0.9.24 up to 0.10.77 inclusive. The fix was introduced in release 0.10.78.", "description_and_impact": "rust-openssl provides OpenSSL bindings for Rust. The vulnerability exists in versions 0.9.24 through 0.10.77, where the FFI trampolines for PSK callbacks and cookie generation forwarded a length returned by the user closure directly to OpenSSL without validating it against the supplied buffer. This unchecked length can cause buffer overflows or unintentional memory disclosure to a connected peer. The weaknesses are represented by CWE-126 and CWE-130.", "risk_and_exploitability": "The CVSS score of 8.3 indicates a high severity, but the EPSS score of less than 1% suggests a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attacks are likely to involve a Rust application that configures user-defined PSK or cookie callbacks; by providing a closure that returns an overly large length, an attacker could corrupt memory or cause OpenSSL to leak sensitive data to the network peer. The exploitation requires control over the application\u2019s callback implementation, so the threat is moderate but warrants prompt remediation."}}}}, "created": "2026-04-28T06:00:09.625205+00:00", "updated": "2026-04-28T08:45:26.955893+00:00", "vendors": ["rust-openssl_project", "rust-openssl_project$PRODUCT$rust-openssl"]}