Main Vulnerability Database Vulnerabilities #VU126497

Out-of-bounds read in rust-openssl - #VU126497

Published: April 20, 2026

Vulnerability identifier: #VU126497

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-125

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Steven Fackler

Affected software:
rust-openssl

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in the *_from_pem_callback APIs when processing a user-supplied password callback result. A remote attacker can supply a callback that returns an oversized length to disclose sensitive information.

Only some versions of OpenSSL are affected, and OpenSSL 3.x is not affected.

Remediation

Install security update from vendor's website.

Sources

https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2

Out-of-bounds read in rust-openssl - #VU126497

Detailed vulnerability description

Remediation

Sources

Please verify you're human