Fluid Attacks Database

Description

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior. This vulnerability is fixed in 0.10.79.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
cargo	openssl	>=0.9.7 <0.10.79	0.10.79
debian 11	rust-openssl	=0.10.29-1 \|\| =0.10.29-1+deb11u1 \|\| =0.10.36-1 \|\| =0.10.41-1 \|\| =0.10.45-1 \|\| =0.10.57-1 \|\| =0.10.64-1 \|\| =0.10.68-1 \|\| =0.10.70-1 \|\| =0.10.72-1 \|\| =0.10.73-1 \|\| =0.10.78-1	-
debian 12	rust-openssl	=0.10.45-1 \|\| =0.10.57-1 \|\| =0.10.64-1 \|\| =0.10.68-1 \|\| =0.10.70-1 \|\| =0.10.72-1 \|\| =0.10.73-1 \|\| =0.10.78-1	-
debian 13	rust-openssl	=0.10.72-1 \|\| =0.10.73-1 \|\| =0.10.78-1	-
debian 14	rust-openssl	=0.10.72-1 \|\| =0.10.73-1 \|\| =0.10.78-1	-

Aliases

1. CVE-2026-423272. NVD-2026-423273. OSV-2026-423274. OSV-DEBIAN-2026-423275. GHSA-xp3w-r5p5-63rr6. GCVE-2026-423277. SECURITY-TRACKER-CVE-2026-42327

References

1. https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.