GHSA-82j2-j2ch-gfr8

ADVISORY - rustsec

Summary

A panic was reachable when parsing certificate revocation lists via [BorrowedCertRevocationList::from_der] or [OwnedCertRevocationList::from_der]. This was the result of mishandling a syntactically valid empty BIT STRING appearing in the onlySomeReasons element of a IssuingDistributionPoint CRL extension.

This panic is reachable prior to a CRL's signature being verified.

Applications that do not use CRLs are not affected.

Thank you to @tynus3 for the report.

Common Weakness Enumeration (CWE)

Impacted images

Advisories

RustSec

CREATED

3 hours ago

UPDATED

6 hours ago

ADVISORY IDRUSTSEC-2026-0104⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Package	Type	OS Name	OS Version	Affected Ranges	Fix Versions
rustls-webpki	cargo	-	-	<0.103.13	0.103.13
rustls-webpki	cargo	-	-	>=0.104.0-alpha.1,<0.104.0-alpha.7	0.104.0-alpha.7

Severity and metrics

No CVSS data available from this advisory.