CVE-2026-42327

NameCVE-2026-42327
Descriptionrust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior. This vulnerability is fixed in 0.10.79.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136787

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-openssl (PTS)bullseye0.10.29-1vulnerable
bullseye (security)0.10.29-1+deb11u1vulnerable
bookworm0.10.45-1vulnerable
trixie0.10.72-1vulnerable
forky0.10.73-1vulnerable
sid0.10.78-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-opensslsource(unstable)(unfixed)1136787

Notes

https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr
Search for package or bug name: Reporting problems