Vulnerability Description
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior. This vulnerability is fixed in 0.10.79.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-42327?
CVE-2026-42327 is a documented vulnerability. rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as Opens...
How severe is CVE-2026-42327?
CVSS scoring is not yet available for CVE-2026-42327. Check NVD for updates.
Is there a patch for CVE-2026-42327?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.