GHSA-g433-pq76-6cmf

Suggest an improvement
Source
https://github.com/advisories/GHSA-g433-pq76-6cmf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-g433-pq76-6cmf/GHSA-g433-pq76-6cmf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g433-pq76-6cmf
Published
2026-02-13T20:05:10Z
Modified
2026-02-13T20:43:24.539606Z
Summary
Bug fixes in hpke-rs, hpke-rs-rust-crypto
Details

We publish a GitHub security advisory for any releases whose CHANGELOG includes bug-fixes, and encourage our users to upgrade. The latest releases of the hpke-rs and hpke-rs-rust-crypto crates contain the following bug-fixes:

hpke-rs

  • #127: Fix KemAlgorithm::TryFrom<u16> mapping where 0x004D incorrectly resolved to XWingDraft06 instead of XWingDraft06Obsolete.
  • #123: Fix potential overflow in context counter and switch to use u64.
  • #128: Return errors when trying to use open/seal with export only ciphersuite and when using kdf export with an output that's too long (instead of truncating it)

The issue fixed in #123 was first reported by Nadim Kobeissi. The issues fixed in #127 and #128 were first reported by Scott Arciszewski.

hpke-rs-rust-crypto

  • #124: Error out on x25519 0 keys

The issue fixed in #124 was first reported by Nadim Kobeissi.

Database specific
{
    "github_reviewed_at": "2026-02-13T20:05:10Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-190",
        "CWE-20",
        "CWE-697"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}
References

Affected packages

crates.io / hpke-rs

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-g433-pq76-6cmf/GHSA-g433-pq76-6cmf.json"

crates.io / hpke-rs-rust-crypto

Package

Name
hpke-rs-rust-crypto
View open source insights on deps.dev
Purl
pkg:cargo/hpke-rs-rust-crypto

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-g433-pq76-6cmf/GHSA-g433-pq76-6cmf.json"