CVE-2026-42327

EUVD-2026-30474

14.05.2026, 21:16

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior. This vulnerability is fixed in 0.10.79.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Debian Releases

Debian Product

Codename

rust-openssl

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable
forky	0.10.79-1 fixed
sid	0.10.79-1 fixed
trixie	no-dsa

Amazon Linux Releases

Amazon Package

Release

clamav1.5

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-data

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-debugsource

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-devel

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-doc

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-filesystem

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-freshclam

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-freshclam-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-lib

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-lib-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-milter

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-milter-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamd1.5

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamd1.5-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr