CVE-2026-28815

HIGH7.5

A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections

Published Apr 3, 2026

Modified 3 weeks ago

Details

A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.

References

WEB

https://github.com/apple/swift-crypto/security/advisories/GHSA-9m44-rr2w-ppp7

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-28815

CVSS Analysis

CVSS v3.1

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ecosystems

Timeline

PublishedApr 3, 2026

ModifiedApr 3, 2026