GHSA-c86p-w88r-qvqr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c86p-w88r-qvqr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-c86p-w88r-qvqr/GHSA-c86p-w88r-qvqr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c86p-w88r-qvqr
- Aliases
- Downstream
- Related
- Published
- 2025-05-09T18:30:38Z
- Modified
- 2025-10-28T06:29:00.136141Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- ring has some AES functions that may panic when overflow checking is enabled in
- Details
-
A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received.
- Database specific
{ "nvd_published_at": "2025-05-09T16:15:25Z", "severity": "MODERATE", "github_reviewed_at": "2025-05-09T19:42:41Z", "github_reviewed": true, "cwe_ids": [ "CWE-770" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-4432
- https://github.com/briansmith/ring/pull/2447
- https://github.com/briansmith/ring/commit/ec2d3cf1d91f148c84e4806b4f0b3c98f6df3b38
- https://access.redhat.com/security/cve/CVE-2025-4432
- https://bugzilla.redhat.com/show_bug.cgi?id=2350655
- https://github.com/briansmith/ring
- https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05
- https://rustsec.org/advisories/RUSTSEC-2025-0009.html
Affected packages
crates.io / ring
Package
- Name
- ring
- View open source insights on deps.dev
- Purl
- pkg:cargo/ring