CVE-2026-28815 | THREATINT

Description

A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.

PUBLISHED Reserved 2026-03-03 | Published 2026-04-03 | Updated 2026-04-03 | Assigner apple

Problem types

A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections.

Product status

4.0.0 (custom) before 4.3.1

affected

References

github.com/...crypto/security/advisories/GHSA-9m44-rr2w-ppp7

cve.org (CVE-2026-28815)

nvd.nist.gov (CVE-2026-28815)

Download JSON

help @ threatint.eu