CVE-2026-42327

Name of the Vulnerable Software and Affected Versions rust-openssl versions 0.9.7 through 0.10.78

Description The X509Ref::ocsp responders() function returns OCSP responder URLs from a certificate's AIA extension as OpensslString. The Deref<Target = str> implementation wraps raw bytes using str::from utf8 unchecked. Because OpenSSL does not enforce that the underlying IA5String is ASCII, a certificate containing non-UTF-8 bytes in its OCSP accessLocation can cause safe Rust code to construct a &str that violates the UTF-8 invariant, leading to undefined behavior.

Recommendations Update to version 0.10.79.