Reported

July 21, 2024

Issued

July 21, 2024 (last modified: October 28, 2025)

Package

openssl (crates.io)

Type

Vulnerability

Aliases

• GHSA-q445-7m23-qrmw

References

• https://github.com/sfackler/rust-openssl/pull/2266

Patched

• >=0.10.66

Affected Functions

Version

openssl::bio::MemBio::get_buf

• <0.10.66, >=0.8.0

Description

Previously, MemBio::get_buf called slice::from_raw_parts with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.

Advisory available under CC0-1.0 license.