CVE-2026-45784
Received Received - Intake

Buffer Overflow in rust-openssl AES Key-Wrap

Vulnerability report for CVE-2026-45784, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.50 until 0.10.80, CipherCtxRef::cipher_update_inplace in openssl/src/cipher_ctx.rs incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers EVP_aes_{128,192,256}_wrap_pad. For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced. This issue is fixed in version 0.10.80.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rust-openssl rust-openssl to 0.10.80 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects rust-openssl versions 0.10.50 to 0.10.80. It involves incorrect buffer sizing in CipherCtxRef::cipher_update_inplace when using AES key-wrap-with-padding ciphers. For inputs not multiples of 8, it writes up to 7 extra bytes past the buffer end, causing heap corruption if plaintext length is attacker-controlled.

Detection Guidance

This vulnerability affects rust-openssl versions 0.10.50 to 0.10.80 and involves heap corruption in AES key-wrap-with-padding ciphers. Detection requires checking installed rust-openssl versions and auditing applications using affected ciphers.

Impact Analysis

An attacker could exploit this to corrupt memory on the heap, potentially leading to crashes, data corruption, or arbitrary code execution. This is especially risky if the application processes untrusted input with affected ciphers.

Compliance Impact

The vulnerability involves heap corruption due to incorrect buffer sizing in AES key-wrap-with-padding ciphers, which could lead to memory corruption and potential arbitrary code execution. This may impact compliance with GDPR (data integrity risks) and HIPAA (unauthorized access to sensitive data) by compromising secure data handling and storage.

Mitigation Strategies

Update rust-openssl to version 0.10.80 or later to address the buffer overflow issue in AES key-wrap-with-padding ciphers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45784. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart