Listen to this Post
How the CVE Works:
The vulnerability resides in the rust-openssl crate’s handling of AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). Functions CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update allocate output buffers based on the input plaintext length. For non-multiple-of-8 inputs, the OpenSSL library writes up to 7 extra bytes beyond the allocated buffer’s end. This occurs because the wrap-padding mode expands the ciphertext by at least 8 bytes, but the Rust wrapper fails to add the necessary padding overhead when sizing the buffer. An attacker who controls the plaintext length can trigger this heap buffer overflow. The overflow corrupts adjacent heap metadata or application data, leading to arbitrary code execution or denial of service. The issue only manifests when using the vulnerable ciphers; other AES modes are unaffected. The padding mechanism in OpenSSL writes 8 bytes of integrity check plus up to 7 pad bytes, but the Rust binding mistakenly computes a buffer of size `input_len` instead of input_len + 8 + pad. The overflow is bounded (max 7 bytes), yet attacker-controlled values for the last block can determine the precise overflow offset. On 64-bit systems, heap allocator metadata lies after small allocations, making corruption exploitable. The vulnerability was introduced when adding support for wrap-pad ciphers and affects all rust-openssl versions before the patch.
dailycve form:
Platform: rust-openssl crate
Version: Affected versions
Vulnerability: Heap buffer overflow
Severity: Moderate
date: May 7, 2026
Prediction: May 14, 2026
What Undercode Say:
Analytics
bash commands:
Check rust-openssl version
cargo tree | grep openssl
Test for vulnerable pattern (requires hexdump)
echo -n “plaintext” | openssl enc -aes-256-wrap-pad -K 000102030405060708090A0B0C0D0E0F -iv A65959A6 -out out.bin 2>/dev/null; ls -l out.bin
Monitor heap corruption via MALLOC_CHECK_=3
MALLOC_CHECK_=3 cargo run –example wrap_pad_test
Detect overflow with Valgrind
valgrind –tool=memcheck –track-origins=yes cargo test –lib — wrap_pad
Exploit:
Attacker controls plaintext length to be non-multiple-of-8, e.g., 9 bytes. Rust code calls Crypter::update with a Vec of size 9. OpenSSL writes 16 bytes (9+7), overflowing by 7 bytes into next heap chunk. Overwriting heap metadata or function pointers yields code execution. Proof-of-concept: Repeated encryptions with crafted lengths cause allocator assertion failures or controlled corruption.
Protection from this CVE:
Update rust-openssl to patched version (>=0.10.70 or commit containing fix). If update impossible, avoid using AES key-wrap-with-padding ciphers (EVP_aes_wrap_pad). Validate input length; reject non-multiple-of-8 plaintexts or manually allocate extra 8 bytes. Enable heap hardening (MALLOC_CHECK_=3, guard pages). Compile with instrumentation: `RUSTFLAGS=”-Z sanitizer=address”` and ASAN_OPTIONS=detect_odr_violation=0. Use alternative cryptography libraries (ring, aws-lc-rs).
Impact:
Heap buffer overflow (up to 7 bytes) enabling arbitrary heap corruption. An attacker who influences plaintext length can crash the application or execute arbitrary code. Confidentiality, integrity, and availability compromised. Moderate severity due to overflow size limit and requirement of specific cipher mode. In multi-tenant environments, an attacker may escalate privileges or leak sensitive memory.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
