rust-openssl, Buffer Overflow, CVE-2026-41676 (High)

Listen to this Post

The vulnerability arises from unsafe handling of buffer sizes in the `Deriver::derive` and `PkeyCtxRef::derive` methods when used with OpenSSL 1.1.1. These methods set a length variable (len) equal to the length of the caller’s output buffer (buf.len()) and pass a reference to it as both an input and output parameter to the underlying OpenSSL function EVP_PKEY_derive. This is intended to allow OpenSSL to update the length with the amount of data written.
However, on OpenSSL 1.1.x, the implementations for key exchange algorithms like X25519, X448, DH, and HKDF-extract completely ignore the incoming buffer length. They unconditionally write their full shared secret, which is 32 bytes for X25519, 56 bytes for X448, or the prime size for DH, directly into the provided buffer.
If a caller passes a short slice—for example, a 16-byte buffer—the `EVP_PKEY_derive` function will still attempt to write the full 32-byte X25519 secret. Because the wrapper passes the length by reference and trusts OpenSSL to honor it, no internal check prevents this. The result is a heap or stack overflow originating from what appears to be safe Rust code, as the methods do not perform the necessary length validation themselves. This issue specifically affects applications using OpenSSL 1.1.x; OpenSSL 3.x providers correctly validate the buffer length before writing.

DailyCVE Form:

Platform: rust-openssl (crates.io)
Version: <0.10.72 (OpenSSL 1.1.x)
Vulnerability: Heap/stack overflow
Severity: High
Date: 2026-04-19

Prediction: 2026-05-03 (2 weeks after disclosure)

Analytics under heading What Undercode Say:

Check for vulnerable dependency version in Cargo.toml
cargo tree | grep openssl@
grep 'openssl = "' Cargo.toml
Identify OpenSSL version linked at runtime
openssl version
Count potentially unsafe derive() calls in codebase
grep -r ".derive(" --include=".rs" | wc -l

Exploit:

An attacker who can control the key exchange process can force a victim application to call `derive()` with a buffer that is too small. For example, if the victim expects a 16-byte shared secret but the algorithm generates a 32‑byte secret, the overflow corrupts adjacent memory. This can be triggered regardless of the buffer’s location (heap or stack) and may lead to arbitrary code execution or denial of service.

Protection from this CVE

Upgrade to `rust-openssl` version 0.10.72 or later. If using OpenSSL 1.1.x, recompile with OpenSSL 3.x, or apply the upstream patch that adds explicit buffer length checks before calling EVP_PKEY_derive. Avoid passing stack‑allocated small buffers to `derive()` and always pre‑allocate buffers large enough for the maximum possible secret size (e.g., 56 bytes for X448).

Impact

Successful exploitation results in memory corruption that can crash the application or, under the right conditions, allow remote code execution. The vulnerability is reachable from safe Rust code without using `unsafe` blocks, undermining Rust’s memory‑safety guarantees. It primarily affects legacy systems still using OpenSSL 1.1.x, which is common in many enterprise environments.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top