Memory Leak — CraftedSignal Threat Feed

rust-openssl Memory Leak via Unchecked Callback Length (CVE-2026-41898)

hello@craftedsignal.io — Wed, 29 Apr 2026 07:33:41 +0000

CVE-2026-41898 is a security vulnerability affecting the rust-openssl library. The vulnerability stems from a failure to properly validate the length of data returned by callbacks during Pre-Shared Key (PSK) and cookie generation processes within OpenSSL. This oversight can lead to OpenSSL inadvertently exposing adjacent memory regions to a remote network peer. While the exact scope of impact is not detailed in the initial advisory, the potential for memory leakage raises concerns about sensitive information disclosure. Defenders should closely monitor applications utilizing rust-openssl for anomalous behavior indicative of exploitation attempts. The Microsoft Security Response Center published information regarding this vulnerability.

Attack Chain

A client initiates a TLS handshake with a server using rust-openssl.
The server requests PSK or initiates a cookie exchange as part of the TLS handshake.
rust-openssl triggers a callback function to generate the PSK or cookie data.
The callback function returns data with a length that is not properly validated by rust-openssl.
Due to the unchecked length, OpenSSL reads beyond the intended buffer boundary.
OpenSSL copies the over-read memory region into the response sent to the client.
The client receives the response containing the leaked memory.
The client can then analyze the leaked memory for sensitive information.

Impact

Successful exploitation of CVE-2026-41898 can lead to the leakage of sensitive information from the server’s memory. This information could include cryptographic keys, session data, or other confidential data. The extent of the leak depends on the amount of memory that is read beyond the intended buffer. The vulnerability could affect any application or service that uses rust-openssl for TLS communication and relies on PSK or cookie generation. The number of potential victims is currently unknown, but it would depend on the adoption rate of rust-openssl in security-sensitive applications.

Recommendation

Monitor network traffic for unusually large TLS handshake responses, which may indicate an attempt to trigger the memory leak.
Implement robust input validation for callback functions used in PSK and cookie generation within rust-openssl.
Deploy the Sigma rules provided to detect potential exploitation attempts based on anomalous network connection patterns.

rust-openssl Unchecked Callback Length Memory Leak

hello@craftedsignal.io — Thu, 23 Apr 2026 12:00:00 +0000

The rust-openssl crate, a Rust wrapper for the OpenSSL library, is susceptible to a high-severity vulnerability due to unchecked callback lengths within the FFI trampolines used by several functions related to PSK (Pre-Shared Key) and cookie generation. Specifically, versions 0.9.24 up to (but not including) 0.10.78 are affected. The vulnerable functions include SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb. The issue arises because the user-provided closure’s returned usize (size) value is directly passed to OpenSSL without validation against the size of the &mut [u8] buffer provided to the closure, resulting in potential buffer overflows and memory leaks. This allows an attacker to potentially leak adjacent memory regions to a peer.

Attack Chain

An attacker crafts a malicious application or exploits an existing application using the vulnerable rust-openssl crate.
The attacker triggers one of the vulnerable callback functions (set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, or set_stateless_cookie_generate_cb).
The vulnerable callback function executes the user-provided closure.
The user-provided closure returns a usize value indicating the intended length of the data to be written to the output buffer.
The FFI trampoline forwards this usize value directly to OpenSSL, bypassing bounds checking against the actual buffer size.
If the returned usize exceeds the allocated buffer size, OpenSSL writes beyond the buffer boundary, leading to a buffer overflow.
The buffer overflow allows the attacker to read adjacent memory regions or overwrite data, potentially leaking sensitive information or corrupting program state.
Successful exploitation could lead to information disclosure, denial of service, or potentially arbitrary code execution.

Impact

Successful exploitation of this vulnerability could lead to information disclosure, denial of service, or potentially arbitrary code execution. Given the widespread use of the rust-openssl crate in various applications, the impact could be significant, affecting numerous services and potentially exposing sensitive data. The vulnerability allows for memory leakage to peers which could have broad consequences.

Recommendation

Upgrade to rust-openssl version 0.10.78 or later to patch the vulnerability (reference: https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78).
Implement input validation and sanitization within user-provided closures to ensure that the returned usize value does not exceed the allocated buffer size, mitigating the risk even in vulnerable versions.

Android-ImageMagick7 Memory Leak Vulnerability (CVE-2026-33852)

hello@craftedsignal.io — Tue, 24 Mar 2026 07:16:07 +0000

CVE-2026-33852 is a “Missing Release of Memory after Effective Lifetime” vulnerability affecting MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-11. Discovered by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG), this memory leak can occur when processing specially crafted image files. An attacker could potentially exploit this vulnerability to cause a denial-of-service condition on a vulnerable Android device by repeatedly triggering the memory leak…