Heap-based Buffer Overflow in openssl-sys | CVE-2026-44662

Q: How to fix?

Upgrade openssl-sys to version 0.9.115 or higher.

Introduced: 7 May 2026

NewCVE-2026-44662 (opens in a new tab) CWE-122 (opens in a new tab)

How to fix?

Upgrade openssl-sys to version 0.9.115 or higher.

Overview

openssl-sys is a package for OpenSSL bindings for the Rust programming language

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update functions when encrypting with AES key-wrap-with-padding ciphers. An attacker can cause heap corruption and potentially execute arbitrary code or crash the application by providing specially crafted input that results in output buffers being incorrectly sized.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Heap-based Buffer Overflow Affecting openssl-sys package, versions >=0.9.71 <0.9.115

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 7 May 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk