rust-openssl, undefined behavior, (High severity)

By /

Listen to this Post

How the CVE works (approx. 20 lines):

The flaw resides in the `X509Ref::ocsp_responders` method, which extracts OCSP responder URLs from a certificate’s Authority Information Access (AIA) extension. Inside rust‑openssl, each URL is returned as an `OpensslString` – a type that dereferences to `&str` via str::from_utf8_unchecked. This call skips the usual UTF‑8 validation step. OpenSSL does not mandate that the underlying `IA5String` be ASCII; it can contain arbitrary byte sequences. When a certificate supplies a non‑UTF‑8 OCSP `accessLocation` (e.g., raw bytes that are invalid UTF‑8), the unchecked conversion produces a `&str` that does not actually satisfy Rust’s UTF‑8 invariants. Any subsequent safe‑Rust code that uses that `&str` therefore triggers undefined behavior. Because the unsafe conversion is buried inside a safe API, a seemingly benign caller can inadvertently cause memory corruption, panics, or other ill‑defined outcomes. The impact is magnified because the certificate can be supplied remotely, making the vulnerability reachable from untrusted sources. The issue affects all versions where `X509Ref::ocsp_responders` is implemented with str::from_utf8_unchecked, and it was fixed in the 0.10.78 release by replacing the unchecked conversion with a proper fallible UTF‑8 check.

DailyCVE form (3 words max per line):

Platform: rust-openssl
Version: <=0.10.77
Vulnerability: non‑UTF‑8 OCSP
Severity: High
date: 2026‑05‑04

Prediction: 2026‑05‑15

Analytics – What Undercode Say

Check installed rust-openssl version
cargo tree | grep openssl
Verify distribution‑provided package (Fedora example)
dnf list installed rust-openssl
Example code that exposes the issue
let cert = X509::from_pem(cert_pem).unwrap();
let responders = cert.ocsp_responders().unwrap(); // may contain invalid &str
for url in responders.iter() {
let _ = url.to_str().unwrap(); // UB on non‑UTF‑8
}

Exploit

  1. Craft an X.509 certificate where the `OCSP accessLocation` IA5String contains arbitrary non‑UTF‑8 bytes.
  2. Present the certificate to any application that extracts OCSP responder URLs via X509Ref::ocsp_responders.
  3. The application, in safe Rust code, will receive a `&str` that violates UTF‑8 invariants, leading to unpredictable memory access, panics, or potential code execution.

Protection from this CVE

  • Upgrade the `openssl` crate to version 0.10.78 or later.
  • For binary distributions (e.g., Fedora, Debian), update the `rust-openssl` system package to the patched version.
  • Rebuild any application that statically links rust‑openssl to incorporate the fix.

Impact

  • Undefined behavior – Can manifest as memory corruption, stack/heap overflows, or process crashes.
  • Remote trigger – An attacker only needs to supply a malicious certificate (e.g., in TLS or any format processed with rust‑openssl).
  • Broken safety guarantees – Safe Rust code becomes unsafe, undermining Rust’s memory‑safety promise.
  • Potential for further exploitation – While the primary impact is denial‑of‑service or arbitrary code execution, the undefined nature may enable more sophisticated attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top