Bug 2461609 (CVE-2026-41677) - CVE-2026-41677 rust-openssl: OpenSSL: rust-openssl: Information Disclosure Vulnerability in Password Callback
Summary: CVE-2026-41677 rust-openssl: OpenSSL: rust-openssl: Information Disclosure Vu...
Keywords:
Status: NEW
Alias: CVE-2026-41677
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2463744 2463745 2463746
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 18:01 UTC by OSIDB Bzimport
Modified: 2026-04-29 08:43 UTC (History)
89 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-24 18:01:53 UTC 
rust-openssl provides OpenSSL bindings for the Rust programming language.  From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this. This vulnerability is fixed in 0.10.78.
Note You need to log in before you can comment on or make changes to this bug.