{"id":"UBUNTU-CVE-2026-42327","details":"rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref\u003cTarget = str\u003e wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior. This vulnerability is fixed in 0.10.79.","modified":"2026-05-20T22:01:37.596387434Z","published":"2026-05-14T21:16:00Z","upstream":["CVE-2026-42327"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-42327"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-42327"},{"type":"REPORT","url":"https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr"}],"affected":[{"package":{"name":"rust-openssl","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/rust-openssl?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.10.23-1","0.10.23-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"librust-openssl-dev","binary_version":"0.10.23-1ubuntu0.1~esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42327.json"}},{"package":{"name":"rust-openssl","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/rust-openssl?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.10.29-1","0.10.36-1","0.10.36-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"librust-openssl-dev","binary_version":"0.10.36-1ubuntu0.1~esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42327.json"}},{"package":{"name":"rust-openssl","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/rust-openssl?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.10.45-1","0.10.57-1","0.10.57-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"librust-openssl-dev","binary_version":"0.10.57-1ubuntu0.1~esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42327.json"}},{"package":{"name":"rust-openssl","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/rust-openssl?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.10.70-1","0.10.72-1"],"ecosystem_specific":{"binaries":[{"binary_name":"librust-openssl-dev","binary_version":"0.10.72-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42327.json"}},{"package":{"name":"rust-openssl","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/rust-openssl?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.10.72-1","0.10.73-1"],"ecosystem_specific":{"binaries":[{"binary_name":"librust-openssl-dev","binary_version":"0.10.73-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42327.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}]}