Vulnerability-Lookup

MSRC_CVE-2026-41676

Vulnerability from csaf_microsoft - Published: 2026-04-02 00:00 - Updated: 2026-04-27 14:44

Summary

rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-41676

CWE-787 - Out-of-bounds Write

None Available There is no fix available for this vulnerability as of now

References

URL

Category

	https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
	https://support.microsoft.com/lifecycle	external
	https://www.first.org/cvss	external
	https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-41676 rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-41676.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1",
    "tracking": {
      "current_release_date": "2026-04-27T14:44:27.000Z",
      "generator": {
        "date": "2026-04-28T07:17:25.103Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-41676",
      "initial_release_date": "2026-04-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-04-26T01:06:07.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-04-27T14:44:27.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              },
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "cbl2 rpm-ostree 0:2022.1-8.cbl2",
                "product": {
                  "name": "cbl2 rpm-ostree 0:2022.1-8.cbl2",
                  "product_id": "8"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 rpm-ostree 0:2024.4-8.azl3",
                "product": {
                  "name": "azl3 rpm-ostree 0:2024.4-8.azl3",
                  "product_id": "4"
                }
              }
            ],
            "category": "product_name",
            "name": "rpm-ostree"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "cbl2 rust 0:1.72.0-15.cbl2",
                "product": {
                  "name": "cbl2 rust 0:1.72.0-15.cbl2",
                  "product_id": "7"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 rust 0:1.75.0-27.azl3",
                "product": {
                  "name": "azl3 rust 0:1.75.0-27.azl3",
                  "product_id": "6"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 rust 0:1.90.0-6.azl3",
                "product": {
                  "name": "azl3 rust 0:1.90.0-6.azl3",
                  "product_id": "5"
                }
              }
            ],
            "category": "product_name",
            "name": "rust"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 python-cryptography 0:42.0.5-4.azl3",
                "product": {
                  "name": "azl3 python-cryptography 0:42.0.5-4.azl3",
                  "product_id": "3"
                }
              }
            ],
            "category": "product_name",
            "name": "python-cryptography"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 trident 0:0.22.0-1.azl3",
                "product": {
                  "name": "azl3 trident 0:0.22.0-1.azl3",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "trident"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 clamav 0:1.5.2-1.azl3",
                "product": {
                  "name": "azl3 clamav 0:1.5.2-1.azl3",
                  "product_id": "2"
                }
              }
            ],
            "category": "product_name",
            "name": "clamav"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 rpm-ostree 0:2022.1-8.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-8"
        },
        "product_reference": "8",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 rust 0:1.72.0-15.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-7"
        },
        "product_reference": "7",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-cryptography 0:42.0.5-4.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 rpm-ostree 0:2024.4-8.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 trident 0:0.22.0-1.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 clamav 0:1.5.2-1.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 rust 0:1.75.0-27.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 rust 0:1.90.0-6.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41676",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17086-8",
          "17086-7",
          "17084-3",
          "17084-4",
          "17084-1",
          "17084-2",
          "17084-6",
          "17084-5"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-41676 rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-41676.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2026-04-26T01:06:07.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-8"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-26T01:06:07.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-7"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-26T01:06:07.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-3"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-26T01:06:07.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-4"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-26T01:06:07.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-1"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-26T01:06:07.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-2"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-26T01:06:07.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-6"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-26T01:06:07.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-5"
          ]
        }
      ],
      "title": "rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1"
    }
  ]
}

CVE-2026-41676 (GCVE-0-2026-41676)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:16 – Updated: 2026-04-24 17:43

Title

rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1

Summary

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL. This vulnerability is fixed in 0.10.78.

Severity ?

7.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

CWE

CWE-787 - Out-of-bounds Write
CWE-131 - Incorrect Calculation of Buffer Size

Assigner

GitHub_M

References

URL

Tags

https://github.com/rust-openssl/rust-openssl/secu…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	rust-openssl	rust-openssl	Affected: >= 0.9.27, < 0.10.78

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41676",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T17:43:14.622885Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T17:43:20.693Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rust-openssl",
          "vendor": "rust-openssl",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.9.27, \u003c 0.10.78"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "rust-openssl provides OpenSSL bindings for the Rust programming language.  From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL. This vulnerability is fixed in 0.10.78."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131: Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:16:20.539Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5"
        }
      ],
      "source": {
        "advisory": "GHSA-pqf5-4pqq-29f5",
        "discovery": "UNKNOWN"
      },
      "title": "rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41676",
    "datePublished": "2026-04-24T17:16:20.539Z",
    "dateReserved": "2026-04-22T03:53:24.406Z",
    "dateUpdated": "2026-04-24T17:43:20.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2026-41676

CVE-2026-41676 (GCVE-0-2026-41676)

Tags

Sightings

Nomenclature