CVE-2026-42327
rust-openssl: undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant โ resulting in undefined behavior. This vulnerability is fixed in 0.10.79.
| CWE | CWE-20 |
| Vendor | rust-openssl |
| Product | rust-openssl |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for rust-openssl rust-openssl
Be the first to know when new unknown vulnerabilities affecting rust-openssl rust-openssl are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
rust-openssl / rust-openssl
>= 0.9.7, < 0.10.79