{"id":"CVE-2026-42327","summary":"rust-openssl: undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs","details":"rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref\u003cTarget = str\u003e wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior. This vulnerability is fixed in 0.10.79.","aliases":["GHSA-xp3w-r5p5-63rr"],"modified":"2026-05-18T06:00:10.997485730Z","published":"2026-05-14T20:17:39.923Z","related":["CGA-38qc-87rx-2r8x"],"database_specific":{"cwe_ids":["CWE-20"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42327.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42327.json"},{"type":"ADVISORY","url":"https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42327"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rust-openssl/rust-openssl","events":[{"introduced":"06065ddcee2abd5304a0aacb9643b925d504bb8b"},{"fixed":"649f2d9e37f3aa701e20bd8ab5cd7eb5afa0a90f"}]}],"versions":["openssl-v0.10.78","openssl-sys-v0.9.114","openssl-v0.10.77","openssl-sys-v0.9.113","openssl-v0.10.76","openssl-sys-v0.9.112","openssl-v0.10.75","openssl-sys-v0.9.111","openssl-v0.10.74","openssl-sys-v0.9.110","openssl-v0.10.73","openssl-sys-v0.9.109","openssl-sys-v0.9.108","openssl-v0.10.72","openssl-sys-v0.9.107","openssl-v0.10.71","openssl-sys-v0.9.106","openssl-v0.10.70","openssl-sys-v0.9.105","openssl-v0.10.69","openssl-v0.10.68","openssl-v0.10.67","openssl-sys-v0.9.104","openssl-v0.10.66","openssl-v0.10.65","openssl-sys-v0.9.103","openssl-sys-v0.9.102","openssl-sys-v0.9.101","openssl-v0.10.64","openssl-sys-v0.9.100","openssl-v0.10.63","openssl-sys-v0.9.99","openssl-v0.10.62","openssl-sys-v0.9.98","openssl-v0.10.61","openssl-sys-v0.9.97","openssl-v0.10.60","openssl-sys-v0.9.96","openssl-v0.10.59","openssl-sys-v0.9.95","openssl-v0.10.58","openssl-sys-v0.9.94","openssl-sys-v0.9.93","openssl-v0.10.57","openssl-sys-v0.9.92","openssl-v0.10.56","openssl-sys-v0.9.91","openssl-sys-v0.9.90","openssl-v0.10.55","openssl-sys-v0.9.89","openssl-v0.10.54","openssl-v0.10.53","openssl-sys-v0.9.88","openssl-v0.10.52","openssl-sys-v0.9.87","openssl-v0.10.51","openssl-sys-v0.9.86","openssl-v0.10.50","openssl-sys-v0.9.85","openssl-v0.10.49","openssl-sys-v0.9.84","openssl-macros-v0.1.1","openssl-v0.10.48","openssl-sys-v0.9.83","openssl-v0.10.47","openssl-sys-v0.9.82","openssl-v0.10.46","openssl-sys-v0.9.81","openssl-v0.10.45","openssl-sys-v0.9.80","openssl-v0.10.44","openssl-sys-v0.9.79","openssl-v0.10.43","openssl-sys-v0.9.78","openssl-sys-v0.9.77","openssl-v0.10.42","openssl-sys-v0.9.76","openssl-v0.10.41","openssl-sys-v0.9.75","openssl-sys-v0.9.74","openssl-v0.10.40","openssl-v0.10.39","openssl-macros-v0.1.0","openssl-sys-v0.9.73","openssl-sys-v0.9.72","openssl-sys-v0.9.71","openssl-sys-v0.9.65","openssl-sys-v0.9.70","openssl-v0.10.38","openssl-sys-v0.9.69","openssl-v0.10.37","openssl-sys-v0.9.68","openssl-sys-v0.9.67","openssl-v0.10.36","openssl-sys-v0.9.66","openssl-errors-v0.2.0","openssl-v0.10.35","openssl-sys-v0.9.64","openssl-sys-v0.9.63","openssl-v0.10.34","openssl-sys-v0.9.62","openssl-v0.10.33","openssl-sys-v0.9.61","openssl-v0.10.32","openssl-sys-v0.9.60","openssl-v0.10.31","openssl-sys-v0.9.59","openssl-v0.10.30","openssl-sys-v0.9.58","openssl-sys-v0.9.57","openssl-sys-v0.9.56","openssl-v0.10.29","openssl-sys-v0.9.55","openssl-v0.10.28","openssl-v0.9.27","openssl-v0.10.27","openssl-sys-v0.9.54","openssl-v0.10.26","openssl-sys-v0.9.53","openssl-sys-v0.9.52","openssl-sys-v0.9.51","openssl-v0.10.25","openssl-sys-v0.9.50","openssl-sys-v0.9.49","openssl-v0.10.24","openssl-sys-v0.9.48","openssl-v0.10.23","openssl-sys-v0.9.47","openssl-v0.10.22","openssl-sys-v0.9.46","openssl-sys-v0.9.45","openssl-v0.10.21","openssl-sys-v0.9.44","openssl-v0.10.20","openssl-sys-v0.9.43","openssl-errors-v0.1.0","openssl-v0.10.19","openssl-sys-v0.9.42","openssl-v0.10.18","openssl-v0.10.17","openssl-sys-v0.9.41","openssl-v0.10.16","openssl-sys-v0.9.40","openssl-v0.10.15","openssl-v0.10.14","openssl-sys-v0.9.39","openssl-sys-v0.9.38","openssl-v0.10.13","openssl-sys-v0.9.37","openssl-v0.10.12","openssl-sys-v0.9.36","openssl-v0.10.11","openssl-sys-v0.9.35","openssl-v0.10.10","openssl-sys-v0.9.33","openssl-v0.10.9","openssl-sys-v0.9.32","openssl-v0.10.8","openssl-sys-v0.9.31","openssl-v0.10.7","openssl-sys-v0.9.30","openssl-v0.10.6","openssl-sys-v0.9.28","openssl-v0.10.5","openssl-sys-v0.9.27","openssl-v0.10.4","openssl-sys-v0.9.26","openssl-v0.10.3","openssl-sys-v0.9.25","v0.9.23","openssl-v0.10.2","openssl-v0.10.1","openssl-v0.10.0","openssl-sys-v0.9.24","v0.9.22","v0.9.21","v0.9.20","v0.9.19","v0.9.18","v0.9.17","v0.9.16","v0.9.15","v0.9.14","v0.9.13","v0.9.12","v0.9.11","v0.9.10","v0.9.9","v0.9.8","v0.9.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42327.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}]}