PT-2026-35041 · Pypi · Rust-Openssl

Alex

Published

2026-04-22

Updated

2026-04-30

CVE-2026-41898

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions rust-openssl versions 0.9.24 through 0.10.77

Description FFI trampolines behind the functions set psk client callback(), set psk server callback(), set cookie generate cb(), and set stateless cookie generate cb() in SslContextBuilder forward the user closure's returned usize directly to OpenSSL. This occurs without verifying the value against the &mut [u8] provided to the closure, which can result in buffer overflows and other unintended consequences.

Recommendations Update to version 0.10.78.

Fix

Buffer Over-read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-130CWE-126

Related Identifiers

CVE-2026-41898

GHSA-HPPC-G8H3-XHP3

Affected Products

Rust-Openssl

PT-2026-35041 · Pypi · Rust-Openssl

CVE-2026-41898

Weakness Enumeration

Related Identifiers

Affected Products

References · 15