GHSA-phqj-4mhp-q6mq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-phqj-4mhp-q6mq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-phqj-4mhp-q6mq/GHSA-phqj-4mhp-q6mq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-phqj-4mhp-q6mq
- Aliases
-
- CVE-2026-45784
- Downstream
- Related
- Published
- 2026-05-19T19:50:11Z
- Modified
- 2026-05-20T20:14:25.992350776Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
- Details
-
CipherCtxRef::cipher_update_inplaceincorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVPaes{128,192,256}wrappad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced.This only impacts users using AES key-wrap-with-padding ciphers.
This method was missed in the fix for GHSA-xv59-967r-8726
- Database specific
{ "cwe_ids": [ "CWE-131", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2026-05-19T19:50:11Z", "nvd_published_at": null, "severity": "MODERATE" }- References
Affected packages
crates.io / openssl
Package
- Name
- openssl
- View open source insights on deps.dev
- Purl
- pkg:cargo/openssl