GHSA-435G-FCV3-8J26

Vulnerability from github – Published: 2026-02-12 22:12 – Updated: 2026-02-12 22:12
VLAI?
Summary
Bug-Fixes in `libcrux-ecdh`, `libcrux-ed25519`, `libcrux-psq`
Details

In accordance with our security policy for libcrux, we publish a GitHub security advisory for any releases whose CHANGELOG includes bug-fixes, and encourage our users to upgrade. The latest releases of the libcrux-ecdh, libcrux-ed25519 and libcrux-psq crates contain the following bug-fixes:

libcrux-ecdh

  • #1301: Check length and clamping in X25519 secret validation. This is a breaking change since errors are now raised on unclamped X25519 secrets or inputs of the wrong length

libcrux-ed25519

  • #1320: Remove duplicated clamping step during key generation

The issue fixed in #1320 was first reported by Nadim Kobeissi.

libcrux-psq

  • #1319: Propagate AEADError instead of panicking
  • #1301: Fix broken clamping check for imported X25519 secret keys

The issue fixed in #1319 was first reported by Nadim Kobeissi.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.5"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "libcrux-ecdh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.5"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "libcrux-ed25519"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.6"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "libcrux-psq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-12T22:12:14Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "In accordance with our [security policy for `libcrux`](https://github.com/cryspen/libcrux/blob/main/SECURITY.md), we publish a GitHub security advisory for any releases whose CHANGELOG includes bug-fixes, and encourage our users to upgrade. The latest releases of the `libcrux-ecdh`, `libcrux-ed25519` and `libcrux-psq` crates contain the following bug-fixes:\n\n## `libcrux-ecdh`\n\n- [#1301](https://github.com/cryspen/libcrux/pull/1301): Check length and clamping in X25519 secret validation. This is a breaking change since errors are now raised on unclamped X25519 secrets or inputs of the wrong length\n\n## `libcrux-ed25519`\n\n- [#1320](https://github.com/cryspen/libcrux/pull/1320): Remove duplicated clamping step during key generation\n\nThe issue fixed in #1320 was first reported by Nadim Kobeissi.\n## `libcrux-psq`\n\n- [#1319](https://github.com/cryspen/libcrux/pull/1319): Propagate AEADError instead of panicking\n- [#1301](https://github.com/cryspen/libcrux/pull/1301): Fix broken clamping check for imported X25519 secret keys\n\nThe issue fixed in #1319 was first reported by Nadim Kobeissi.",
  "id": "GHSA-435g-fcv3-8j26",
  "modified": "2026-02-12T22:12:14Z",
  "published": "2026-02-12T22:12:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/security/advisories/GHSA-435g-fcv3-8j26"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/pull/1301"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/pull/1319"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/pull/1320"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/commit/4d6f5d3c2542b6179a6474dec8cfb8b8ddf31a84"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/commit/a09022c5811ca7fd1c6d9a239ff294d64ee86734"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/commit/f303b6446c19fe9a7c993f61e426023609cd5fac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cryspen/libcrux"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Bug-Fixes in `libcrux-ecdh`, `libcrux-ed25519`, `libcrux-psq`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.