Insecure sync encryption: deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks.
{
"github_reviewed_at": "2026-05-14T20:30:04Z",
"nvd_published_at": "2026-05-28T18:16:35Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-326",
"CWE-329",
"CWE-353",
"CWE-759",
"CWE-916"
],
"severity": "MODERATE"
}