CVE-2026-41677: rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length
(updated )
The *_from_pem_callback APIs did not validate the length returned by the user’s callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this.
References
- github.com/advisories/GHSA-xmgf-hq76-4vx2
- github.com/rust-openssl/rust-openssl
- github.com/rust-openssl/rust-openssl/commit/5af6895c907773699f37f583f409b862284062b1
- github.com/rust-openssl/rust-openssl/pull/2605
- github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78
- github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2
- nvd.nist.gov/vuln/detail/CVE-2026-41677
Code Behaviors & Features
Detect and mitigate CVE-2026-41677 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →