Bug 2461609 (CVE-2026-41677)

Summary: CVE-2026-41677 rust-openssl: OpenSSL: rust-openssl: Information Disclosure Vulnerability in Password Callback
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aadhikar, adudiak, akostadi, amasferr, anpicker, anthomas, bdettelb, bparees, brasmith, bsmejkal, cochase, csutherl, dbosanac, derez, dmayorov, doconnor, dranck, dschmidt, dsoumis, eborisov, ehelms, erezende, eshamard, ggainey, gotiwari, gtanzill, hasun, jachapma, jbuscemi, jcantril, jclere, jfula, jgrulich, jhorak, jkoehler, jlanda, jlledo, jmitchel, jowilson, jreimann, juwatts, jvasik, kaycoth, kshier, lball, lphiri, mdessi, mhulan, mreynolds, mrizzi, mvyas, ngough, nmoumoul, nyancey, ometelka, osousa, pantinor, pbohmill, pcattana, pcreech, pjindal, plodge, progier, ptisnovs, rblanco, rchan, rhel-process-autobot, rjohnson, rmaucher, rojacob, simaishi, smallamp, smcdonal, snegrini, spichugi, stcannon, syedriko, szappis, tbordaz, teagle, tmalecek, tpopela, tsedmik, vashirov, vchlup, veshanka, watson-tool-maintainers, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in rust-openssl, a library that provides OpenSSL functionalities for Rust applications. The library's password callback functions did not correctly check the size of data provided by a user's callback. This oversight could allow a specially crafted password callback to read beyond its designated memory area. Such an issue might lead to the disclosure of sensitive information or cause the application to become unavailable.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2463744, 2463745, 2463746    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-24 18:01:53 UTC 
rust-openssl provides OpenSSL bindings for the Rust programming language.  From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.