Critical Flaw in Rust Crate rssn Enables Arbitrary Code Execution via JIT

A critical arbitrary code execution vulnerability in the rssn Rust crate landed in the RustSec advisory database on March 10, 2026, carrying a CVSS base score of 9.4 and a CVE identifier that should push any project using rssn below version 0.2.9 to upgrade immediately.

The advisory, RUSTSEC-2026-0038, was first reported to RustSec on March 8 and updated once more on March 11. It is cross-referenced with GitHub Security Advisory GHSA-9c4h-pwmf-m6fj and CVE-2026-30960, which the Miggo Vulnerability Database labels as "RSSN CFFI JIT Code Injection." Every version of rssn before 0.2.9 is vulnerable; 0.2.9 is the first patched release.

The root of the problem sits at the intersection of two design decisions: the library's JIT engine is fully exposed via its C Foreign Function Interface, and that interface performs no validation on what gets fed into it. Specifically, the function rssn_jit_compile_json, located in src/ffi_apis/jit_ffi/json.rs, accepts a JSON string representing a sequence of JIT instructions, deserializes it, and compiles it directly into executable code. Nothing in that pipeline checks whether the instruction sequence is safe. A proof-of-concept documented in the advisory demonstrates that feeding arbitrary memory load instructions through this path produces runnable code without restriction.

Execution happens in rssn_jit_execute, found in src/ffi_apis/jit_ffi/handle.rs. The original implementation ran raw function pointers returned by the JIT compiler without any sandboxing whatsoever, meaning an attacker who could reach the C-FFI interface could achieve code execution at whatever privilege level the host process holds. The advisory explicitly notes that rssn frequently operates with elevated privileges or inside high-performance computing environments, which amplifies the real-world consequence considerably.

The vulnerability carries six CWE classifications: CWE-94 (Improper Control of Generation of Code), CWE-20 (Improper Input Validation), CWE-754 (Improper Check for Unusual or Exceptional Conditions), CWE-695 (Use of Low-Level Functionality), CWE-269 (Improper Privilege Management), and CWE-15 (External Control of System or Configuration Setting). That breadth reflects how deeply the unvalidated JIT pathway is entangled with the library's privilege model.

The RustSec advisory includes section headers for "Who is Impacted?" and "Workarounds" but the published text provides no content under either heading beyond a note that mitigations should be considered if an immediate upgrade is impossible. No specific runtime mitigations were listed. The Apich Organization Security Team is credited as a reference alongside the GitHub advisory. Advisory content is available under CC-BY-4.0.

For any project pulling rssn as a dependency, the path forward is unambiguous: pin to 0.2.9 or later and audit whether any code path exposes the C-FFI to untrusted input before the upgrade lands in production.