216.73.216.75

CVE-2026-42327

· Published 14/05/2026 21:16 · Modified 15/05/2026 14:55

Labels: CVE-2026-42327 2026-05-14CVE-2026-42327CWE-20[email protected]

Essential information

Published
14/05/2026 21:16
Modified
15/05/2026 14:55
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior. This vulnerability is fixed in 0.10.79.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
rust-lang / rust-openssl cpe:2.3:a:rust-lang:rust-openssl:<0.10.79:*:*:*:*:*:*:*

References