openssl
crates.io10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting opensslpage 1 of 1
- CVE-2016-10931HIGHCVSS 8.1EG 8.1✓ Fixed in 0.9.02019-08-26
An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an SSL/TLS man-in-the-middle vulnerability because certificate verification is off by default and there is no API for hostname verification.
- CVE-2018-20997CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.10.92019-08-26
An issue was discovered in the openssl crate before 0.10.9 for Rust. A use-after-free occurs in CMS Signing.
- CVE-2025-24898NONECVSS 0.0EG 0.0✓ Fixed in 0.10.702025-02-03
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. …
- CVE-2026-41676CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.10.782026-04-24
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenS…
- CVE-2026-41677CRITICALCVSS 9.1EG 9.1✓ Fixed in 0.10.782026-04-24
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value lar…
- CVE-2026-41678CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.10.782026-04-24
rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended …
- CVE-2026-41681CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.10.782026-04-24
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes…
- CVE-2026-41898CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.10.782026-04-24
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_state…
- CVE-2026-42327HIGHCVSS 8.7EG 8.7✓ Fixed in 0.10.792026-05-14
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wra…
- CVE-2026-44662MEDIUMCVSS 5.1EG 5.1✓ Fixed in 0.10.792026-05-14
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.0 to before 0.10.79, CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used wit…
Check whether openssl is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for openssl CVEs against the assets you own.
Start Free Scan →