GHSA-82j2-j2ch-gfr8: rustls-webpki: Denial of service via panic on malformed CRL BIT STRING
highvulnerability
security
Source: GitHub Advisory DatabaseApril 24, 2026
Summary
A bug in rustls-webpki (a Rust library for validating certificates) causes the program to crash when processing a malformed CRL (certificate revocation list, a list of revoked digital certificates) with a specially crafted BIT STRING (a data structure in certificate formats). The crash happens in the `bit_string_flags()` function when it tries to access an array element that doesn't exist, but only affects applications that explicitly enable CRL checking and load CRL data from untrusted sources.
Classification
Attack SophisticationModerate
Affected Packages
rustls-webpki@>= 0.104.0-alpha.1, < 0.104.0-alpha.7 (fixed: 0.104.0-alpha.7)rustls-webpki@< 0.103.13 (fixed: 0.103.13)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-82j2-j2ch-gfr8
First tracked: April 24, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%