CVE-2026-42327— rust-openssl: undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rust-openssl | rust-openssl | >= 0.9.7, < 0.10.79 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42327
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
rust-openssl: undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
Source: NVD (National Vulnerability Database)
Vulnerability Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior. This vulnerability is fixed in 0.10.79.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
rust-openssl 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
rust-openssl是rust-openssl开源的一个用于与 OpenSSL 库进行交互的库。 rust-openssl 0.9.7版本至0.10.79之前版本存在输入验证错误漏洞,该漏洞源于X509Ref::ocsp_responders返回证书AIA扩展中的OCSP响应者URL作为OpensslString,其Deref<Target = str>使用str::from_utf8_unchecked包装原始字节,OpenSSL不强制底层IA5String为ASCII,导致包含非UTF-8字节的O
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| rust-openssl | rust-openssl | >= 0.9.7, < 0.10.79 | - |
II. Public POCs for CVE-2026-42327
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42327
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: rust-openssl
- CVE-2026-44662
rust-openssl: Heap buffer overflow when encrypting with AES - CVE-2026-41898
rust-openssl: Unchecked callback-returned length in PSK and - CVE-2026-41681
rust-openssl: MdCtxRef::digest_final() writes past caller bu - CVE-2026-41678
rust-openssl: Incorrect bounds assertion in aes key wrap - CVE-2026-41677
rust-openssl: Out-of-bounds read in PEM password callback wh
Same vendor: rust-openssl
- CVE-2026-44662
rust-openssl: Heap buffer overflow when encrypting with AES - CVE-2026-41898
rust-openssl: Unchecked callback-returned length in PSK and - CVE-2026-41681
rust-openssl: MdCtxRef::digest_final() writes past caller bu - CVE-2026-41678
rust-openssl: Incorrect bounds assertion in aes key wrap - CVE-2026-41677
rust-openssl: Out-of-bounds read in PEM password callback wh
Same weakness: CWE-20
- CVE-2026-28751
filemanagement_storage_service has an improper input validat - CVE-2026-27891
Remote Code Execution (RCE) via Zip Slip in Plugin Upload Me - CVE-2026-45492
Microsoft Edge (Chromium-based) Security Feature Bypass Vuln - CVE-2026-45317
Open WebUI: Cross-Site Request Forgery (CSRF) via Image URL - CVE-2025-29936
AMD多款产品 输入验证错误漏洞
V. Comments for CVE-2026-42327
No comments yet