CVE-2026-30960 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) found in the rssn library developed by Apich-Organization. rssn is a Rust-based scientific computing library that integrates a high-performance symbolic computation engine with numerical methods and physics simulation capabilities. The vulnerability resides in the Just-In-Time (JIT) compilation engine, which is fully exposed through the C Foreign Function Interface (CFFI). Due to improper input validation and external control over code generation, an attacker can inject malicious instruction sequences or parameters via the CFFI layer. This leads to arbitrary code execution (ACE) within the context of the host process, which often runs with elevated privileges in high-performance computing (HPC) or scientific environments. The vulnerability affects all rssn versions prior to 0.2.9. The CVSS v4.0 base score is 9.4, reflecting the critical nature of this flaw, with attack vector local, low attack complexity, no authentication or user interaction required, and high impact on confidentiality, integrity, and availability. The vulnerability also involves additional weaknesses such as improper access control (CWE-269), improper authorization (CWE-695), and incorrect permissions (CWE-754). No patches or known exploits are currently reported, but the risk is substantial given the potential for full system compromise. The vulnerability was published on March 10, 2026, and is currently in a published state with no known exploits in the wild.

The impact of CVE-2026-30960 is severe for organizations utilizing the rssn library in scientific computing, HPC, or physics simulations, especially where processes run with elevated privileges. Successful exploitation allows attackers to execute arbitrary code at the privilege level of the host process, potentially leading to full system compromise, unauthorized data access or modification, disruption of critical scientific computations, and lateral movement within networks. This can result in loss of intellectual property, data breaches, operational downtime, and damage to research integrity. Given rssn’s niche but critical role in scientific and HPC environments, affected organizations may include research institutions, universities, government labs, and companies relying on Rust-based HPC solutions. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing risk. Although no exploits are known in the wild yet, the vulnerability’s critical severity and high CVSS score indicate a high likelihood of future exploitation attempts, especially by advanced threat actors targeting scientific and research sectors.

1. Immediately upgrade rssn to version 0.2.9 or later once the patch is released by Apich-Organization to remediate the vulnerability. 2. Until patched, restrict access to the CFFI interface to trusted and validated inputs only, implementing strict input validation and sanitization to prevent injection of malicious code. 3. Run rssn processes with the least privilege necessary, avoiding elevated privileges where possible to limit the impact of potential exploitation. 4. Employ runtime application self-protection (RASP) or behavior monitoring tools to detect anomalous JIT compilation or code execution activities. 5. Isolate systems running rssn in dedicated environments or containers to reduce lateral movement risk. 6. Conduct thorough code reviews and security audits of any custom code interfacing with rssn via CFFI to identify and mitigate unsafe usage patterns. 7. Monitor security advisories from Apich-Organization and related Rust security communities for updates and exploit reports. 8. Implement network segmentation and strict access controls around HPC and scientific computing infrastructure to reduce exposure. 9. Educate developers and system administrators on the risks of improper code generation and the importance of secure FFI usage.