Search criteria
8 vulnerabilities by rustcrypto
CVE-2026-22705 (GCVE-0-2026-22705)
Vulnerability from cvelistv5 – Published: 2026-01-10 06:14 – Updated: 2026-01-10 06:14
VLAI?
Title
RustCrypto: Signatures has timing side-channel in ML-DSA decomposition
Summary
RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This issue has been patched in version 0.1.0-rc.2.
Severity ?
6.4 (Medium)
CWE
- CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | signatures |
Affected:
< 0.1.0-rc.2
|
{
"containers": {
"cna": {
"affected": [
{
"product": "signatures",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "\u003c 0.1.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This issue has been patched in version 0.1.0-rc.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1240",
"description": "CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T06:14:20.292Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-hcp2-x6j4-29j7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-hcp2-x6j4-29j7"
},
{
"name": "https://github.com/RustCrypto/signatures/pull/1144",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/signatures/pull/1144"
},
{
"name": "https://github.com/RustCrypto/signatures/commit/035d9eef98486ecd00a8bf418c7817eb14dd6558",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/signatures/commit/035d9eef98486ecd00a8bf418c7817eb14dd6558"
}
],
"source": {
"advisory": "GHSA-hcp2-x6j4-29j7",
"discovery": "UNKNOWN"
},
"title": "RustCrypto: Signatures has timing side-channel in ML-DSA decomposition"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22705",
"datePublished": "2026-01-10T06:14:20.292Z",
"dateReserved": "2026-01-08T19:23:09.857Z",
"dateUpdated": "2026-01-10T06:14:20.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22700 (GCVE-0-2026-22700)
Vulnerability from cvelistv5 – Published: 2026-01-10 05:17 – Updated: 2026-01-10 05:17
VLAI?
Title
RustCrypto Has Insufficient Length Validation in decrypt() in SM2-PKE
Summary
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | elliptic-curves |
Affected:
= 0.14.0-pre.0
Affected: = 0.14.0-rc.0 |
{
"containers": {
"cna": {
"affected": [
{
"product": "elliptic-curves",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "= 0.14.0-pre.0"
},
{
"status": "affected",
"version": "= 0.14.0-rc.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T05:17:25.583Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-j9xq-69pf-pcm8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-j9xq-69pf-pcm8"
},
{
"name": "https://github.com/RustCrypto/elliptic-curves/pull/1603",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/elliptic-curves/pull/1603"
},
{
"name": "https://github.com/RustCrypto/elliptic-curves/commit/e60e99167a9a2b187ebe80c994c5204b0fdaf4ab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/elliptic-curves/commit/e60e99167a9a2b187ebe80c994c5204b0fdaf4ab"
}
],
"source": {
"advisory": "GHSA-j9xq-69pf-pcm8",
"discovery": "UNKNOWN"
},
"title": "RustCrypto Has Insufficient Length Validation in decrypt() in SM2-PKE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22700",
"datePublished": "2026-01-10T05:17:25.583Z",
"dateReserved": "2026-01-08T19:23:09.856Z",
"dateUpdated": "2026-01-10T05:17:25.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22699 (GCVE-0-2026-22699)
Vulnerability from cvelistv5 – Published: 2026-01-10 05:17 – Updated: 2026-01-10 05:17
VLAI?
Title
RustCrypto SM2-PKE has Unchecked AffinePoint Decoding (unwrap) in decrypt()
Summary
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(&encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | elliptic-curves |
Affected:
= 0.14.0-pre.0
Affected: = 0.14.0-rc.0 |
{
"containers": {
"cna": {
"affected": [
{
"product": "elliptic-curves",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "= 0.14.0-pre.0"
},
{
"status": "affected",
"version": "= 0.14.0-rc.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(\u0026encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T05:17:22.818Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6"
},
{
"name": "https://github.com/RustCrypto/elliptic-curves/pull/1602",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/elliptic-curves/pull/1602"
},
{
"name": "https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab"
}
],
"source": {
"advisory": "GHSA-78p6-6878-8mj6",
"discovery": "UNKNOWN"
},
"title": "RustCrypto SM2-PKE has Unchecked AffinePoint Decoding (unwrap) in decrypt()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22699",
"datePublished": "2026-01-10T05:17:22.818Z",
"dateReserved": "2026-01-08T19:23:09.856Z",
"dateUpdated": "2026-01-10T05:17:22.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22698 (GCVE-0-2026-22698)
Vulnerability from cvelistv5 – Published: 2026-01-10 05:17 – Updated: 2026-01-10 05:17
VLAI?
Title
RustCrypto SM2-PKE has 32-bit Biased Nonce Vulnerability
Summary
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778.
Severity ?
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | elliptic-curves |
Affected:
= 0.14.0-pre.0
Affected: = 0.14.0-rc.0 |
{
"containers": {
"cna": {
"affected": [
{
"product": "elliptic-curves",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "= 0.14.0-pre.0"
},
{
"status": "affected",
"version": "= 0.14.0-rc.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331: Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T05:17:19.993Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw"
},
{
"name": "https://github.com/RustCrypto/elliptic-curves/pull/1600",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/elliptic-curves/pull/1600"
},
{
"name": "https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731"
},
{
"name": "https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525"
},
{
"name": "https://crates.io/crates/sm2/0.14.0-pre.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://crates.io/crates/sm2/0.14.0-pre.0"
},
{
"name": "https://crates.io/crates/sm2/0.14.0-rc.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://crates.io/crates/sm2/0.14.0-rc.0"
}
],
"source": {
"advisory": "GHSA-w3g8-fp6j-wvqw",
"discovery": "UNKNOWN"
},
"title": "RustCrypto SM2-PKE has 32-bit Biased Nonce Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22698",
"datePublished": "2026-01-10T05:17:19.993Z",
"dateReserved": "2026-01-08T19:23:09.856Z",
"dateUpdated": "2026-01-10T05:17:19.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21895 (GCVE-0-2026-21895)
Vulnerability from cvelistv5 – Published: 2026-01-08 14:06 – Updated: 2026-01-08 15:55
VLAI?
Title
rsa crate has potential panic on a prime being equal to 1
Summary
The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
Severity ?
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | RSA |
Affected:
< 0.9.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T14:52:10.453165Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T15:55:13.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RSA",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T14:06:29.288Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26"
},
{
"name": "https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7"
}
],
"source": {
"advisory": "GHSA-9c48-w39g-hm26",
"discovery": "UNKNOWN"
},
"title": "rsa crate has potential panic on a prime being equal to 1"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21895",
"datePublished": "2026-01-08T14:06:29.288Z",
"dateReserved": "2026-01-05T17:24:36.929Z",
"dateUpdated": "2026-01-08T15:55:13.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27498 (GCVE-0-2025-27498)
Vulnerability from cvelistv5 – Published: 2025-03-03 16:52 – Updated: 2025-03-03 17:32
VLAI?
Title
AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
Summary
aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The vulnerability is fixed in 0.4.3.
Severity ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | AEADs |
Affected:
< 0.4.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27498",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T17:26:48.023206Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T17:32:24.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AEADs",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The vulnerability is fixed in 0.4.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T16:52:02.750Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886"
},
{
"name": "https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037"
}
],
"source": {
"advisory": "GHSA-r38m-44fw-h886",
"discovery": "UNKNOWN"
},
"title": "AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27498",
"datePublished": "2025-03-03T16:52:02.750Z",
"dateReserved": "2025-02-26T18:11:52.304Z",
"dateUpdated": "2025-03-03T17:32:24.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49092 (GCVE-0-2023-49092)
Vulnerability from cvelistv5 – Published: 2023-11-28 20:57 – Updated: 2024-11-27 16:03
VLAI?
Title
RustCrypto/RSA vulnerable to a Marvin Attack via key recovery through timing sidechannels
Summary
RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.
Severity ?
5.9 (Medium)
CWE
- CWE-385 - Covert Timing Channel
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | RSA |
Affected:
<= 0.9.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:28.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
},
{
"name": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T16:03:39.720474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T16:03:51.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RSA",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-385",
"description": "CWE-385: Covert Timing Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T22:50:31.056Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
},
{
"name": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
}
],
"source": {
"advisory": "GHSA-c38w-74pg-36hr",
"discovery": "UNKNOWN"
},
"title": "RustCrypto/RSA vulnerable to a Marvin Attack via key recovery through timing sidechannels"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49092",
"datePublished": "2023-11-28T20:57:06.739Z",
"dateReserved": "2023-11-21T18:57:30.429Z",
"dateUpdated": "2024-11-27T16:03:51.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42811 (GCVE-0-2023-42811)
Vulnerability from cvelistv5 – Published: 2023-09-22 15:19 – Updated: 2025-06-18 14:22
VLAI?
Title
AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
Summary
aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the `aes-gcm` crate's `decrypt_in_place*` APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.
Severity ?
4.7 (Medium)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | AEADs |
Affected:
>= 0.10.0, < 0.10.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq"
},
{
"name": "https://docs.rs/aes-gcm/latest/src/aes_gcm/lib.rs.html#309",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.rs/aes-gcm/latest/src/aes_gcm/lib.rs.html#309"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYQCICN6BVC6I75O3F6W4VK4J3MOYDJU/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U67ZSMNX5V3WTBYPUYF45PSFG4SF5SGF/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROBB6TBDAGEQ2WIINR34F3DPSN3FND6K/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-19T18:49:22.620440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T14:22:56.534Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AEADs",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.10.0, \u003c 0.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the `aes-gcm` crate\u0027s `decrypt_in_place*` APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-03T01:06:15.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq"
},
{
"name": "https://docs.rs/aes-gcm/latest/src/aes_gcm/lib.rs.html#309",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.rs/aes-gcm/latest/src/aes_gcm/lib.rs.html#309"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYQCICN6BVC6I75O3F6W4VK4J3MOYDJU/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U67ZSMNX5V3WTBYPUYF45PSFG4SF5SGF/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROBB6TBDAGEQ2WIINR34F3DPSN3FND6K/"
}
],
"source": {
"advisory": "GHSA-423w-p2w9-r7vq",
"discovery": "UNKNOWN"
},
"title": "AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42811",
"datePublished": "2023-09-22T15:19:15.445Z",
"dateReserved": "2023-09-14T16:13:33.307Z",
"dateUpdated": "2025-06-18T14:22:56.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}