CVE-2026-44662

EUVD-2026-30482

14.05.2026, 21:16

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.0 to before 0.10.79, CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced. This only impacts users using AES key-wrap-with-padding ciphers. This vulnerability is fixed in 0.10.79.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Debian Releases

Debian Product

Codename

rust-openssl

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable
forky	0.10.79-1 fixed
sid	0.10.79-1 fixed
trixie	no-dsa

Amazon Linux Releases

Amazon Package

Release

clamav1.5

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-data

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-debugsource

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-devel

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-doc

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-filesystem

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-freshclam

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-freshclam-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-lib

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-lib-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-milter

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamav1.5-milter-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamd1.5

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

clamd1.5-debuginfo

Amazon Linux 2023

0:1.5.2-1.amzn2023.0.2

fixed

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

References

https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726