CVE-2026-30960
Received Received - Intake
Arbitrary Code Execution via JIT in rssn Rust Library

Publication date: 2026-03-10

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
rssn is a scientific computing library for Rust, combining a high-performance symbolic computation engine with numerical methods support and physics simulations functionalities. The vulnerability exists in the JIT (Just-In-Time) compilation engine, which is fully exposed via the CFFI (Foreign Function Interface). Due to Improper Input Validation and External Control of Code Generation, an attacker can supply malicious parameters or instruction sequences through the CFFI layer. Since the library often operates with elevated privileges or within high-performance computing contexts, this allows for Arbitrary Code Execution (ACE) at the privilege level of the host process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30960
EUVD
EUVD-2026-10704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apich-organization rssn to 0.2.8|start_including=0.2.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-695 The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30960 is a critical vulnerability in the Rust library "rssn," specifically in its Just-In-Time (JIT) compilation engine exposed via the C Foreign Function Interface (CFFI).'}, {'type': 'paragraph', 'content': 'The flaw arises from improper input validation and external control of code generation, allowing an attacker to supply malicious parameters or instruction sequences through the CFFI layer.'}, {'type': 'paragraph', 'content': 'This enables arbitrary code execution at the privilege level of the host process, which is particularly dangerous because the library often runs with elevated privileges or in high-performance computing environments.'}, {'type': 'paragraph', 'content': 'The vulnerability involves multiple weaknesses including improper control of code generation, improper privilege management, use of low-level functionality, and improper checks for unusual conditions.'}] [1, 2]

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code at the privilege level of the host process running the rssn library.

Because rssn often operates with elevated privileges or in high-performance computing contexts, exploitation can lead to full compromise of the affected system.

  • Attackers can supply malicious instruction sequences through the CFFI layer to take control of the host process.
  • Developers using rssn as a dynamically linked library in multi-language environments (e.g., Python, Node.js, C++) are at risk.
  • Cloud service providers running rssn in multi-tenant or automated model-training pipelines may be vulnerable.
  • Users processing untrusted or third-party datasets or models could trigger malicious JIT instruction generation.

Mitigations include upgrading to version 0.2.9, sandboxing, applying least privilege principles, input filtering, and disabling JIT compilation if possible.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-30960 vulnerability in the rssn Rust library, you should upgrade to version 0.2.9 or later, where the issue is patched.

  • Run the library within strict sandbox environments such as WebAssembly, Docker with non-root users, or seccomp profiles.
  • Apply the principle of least privilege to limit the permissions of the process using the rssn library.
  • Implement application-level input filtering on data passed to the C Foreign Function Interface (CFFI) to prevent malicious parameters or instruction sequences.
  • If possible, disable the Just-In-Time (JIT) compilation engine and use interpreter-only modes to avoid executing potentially malicious JIT code.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30960. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart