rust-openssl, Out-of-bounds Write, GHSA-hppc-g8h3-xhp3 (High)

Listen to this Post

The FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and `set_stateless_cookie_generate_cb` forward the length returned by a user’s Rust closure (as usize) directly to OpenSSL without verifying it against the actual capacity of the `&mut

` buffer provided to the closure. If the callback writes fewer bytes than the buffer’s length but returns a larger index, or if it returns a value that exceeds <code>buffer.len()</code>, the trampoline passes that oversized length to OpenSSL. This allows OpenSSL to access or write memory beyond the allocated buffer, causing an out‑of‑bounds write or out‑of‑bounds read. The vulnerability affects all versions of `rust-openssl` from 0.9.24 up to (but not including) 0.10.78. Because the buffer may be placed on the heap or the stack, an attacker who controls the closure’s logic can corrupt adjacent data, leak memory, or in severe cases achieve arbitrary code execution. The flaw corresponds to CWE‑126 (Buffer Over‑read) and CWE‑130 (Improper Handling of Length Parameter) and is present in both client and server PSK callbacks as well as cookie callbacks.

<h2 style="color: blue;">dailycve form</h2>

Platform: rust-openssl
Version: 0.9.24 to <0.10.78
Vulnerability : Unchecked callback length
Severity: High
date: 2026-04-22
<h2 style="color: blue;">Prediction: 2026-04-22</h2>

<h2 style="color: blue;">What Undercode Say</h2>

<h2 style="color: blue;">Bash commands to detect vulnerable version:</h2>

[bash]
Check Cargo.toml for openssl dependency
grep -E '^openssl = ['\''"]?[0-9]' Cargo.toml
Inspect Cargo.lock for exact version
grep -A 2 'openssl ' Cargo.lock | grep version
Use cargo-audit to scan for GHSA-hppc-g8h3-xhp3
cargo audit --id GHSA-hppc-g8h3-xhp3

Vulnerable callback example:

ssl_ctx_builder.set_psk_client_callback(|_, _, identity, psk| {
// Attacker‑controlled: return length bigger than psk buffer
psk.len() + 0x100
});

Exploit

By returning a length larger than the supplied mutable slice, an attacker can cause OpenSSL to write past the buffer’s end. For a closure that copies a PSK identity or a session cookie, the oversized return value leads to an out‑of‑bounds write into adjacent memory. This can corrupt other heap or stack data, potentially allowing denial of service, information disclosure of neighboring memory, or – if the attacker can carefully control the written bytes – arbitrary code execution.

Protection from this CVE

Upgrade the `openssl` crate to version 0.10.78 or later.
If immediate upgrade is not possible, avoid using the affected callbacks (set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, set_stateless_cookie_generate_cb) until the patch is applied.

Impact

  • Buffer overflow (out‑of‑bounds write / read)
  • Memory corruption → potential arbitrary code execution
  • Information leak of adjacent memory contents
  • Denial of service (crash) if the overflow hits a guard page or critical structure

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top