SB2026050553 - Multiple vulnerabilities in rust-openssl

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2026-42327)

The vulnerability allows a remote attacker to trigger undefined behavior.

The vulnerability exists due to improper handling of non-UTF-8 data in X509Ref::ocsp_responders when parsing OCSP responder URLs from a certificate's AIA extension. A remote attacker can supply a specially crafted certificate to trigger undefined behavior.

2) Heap-based buffer overflow (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause heap corruption.

The vulnerability exists due to a heap-based buffer overflow in CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update when encrypting non-multiple-of-8 input with AES key-wrap-with-padding ciphers. A remote attacker can supply attacker-influenced plaintext length to cause heap corruption.

This only impacts applications using AES key-wrap-with-padding ciphers.

Remediation

Install update from vendor's website.

References

• https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr
• https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726