RUSTSEC-2026-0069

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0069
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0069.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0069
Aliases
Published
2026-02-11T12:00:00Z
Modified
2026-03-24T08:41:23.142103Z
Summary
Incorrect Length Encoding on KDF Export
Details

Passing values length > 65535 to Context::export produces output that disagrees with the RFC 9180 label encoding. In particular the length value is cast to u16 truncating any value exceeding 65535.

Impact

Applications that use hpke-rs to export very large secrets would experience interoperability issues with other applications that use a correct implementation to export very large secrets.

Mitigation

Starting with version 0.6.0, an error will be returned when attempting to call Context::export with an output length > 65535.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / hpke-rs

Package

Name
hpke-rs
View open source insights on deps.dev
Purl
pkg:cargo/hpke-rs

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.6.0

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "arch": [],
        "functions": [
            "hpke_rs::Context::export"
        ],
        "os": []
    }
}

Database specific

categories 
[]
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0069.json"
informational 
null
cvss 
null