RUSTSEC-2026-0071

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0071

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0071.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2026-0071

Aliases

Published

2026-02-05T12:00:00Z

Modified

2026-03-24T08:41:23.142103Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Nonce Reuse in HPKE Context

Details

The sequence number that is used to compute the AEAD nonce when using a re-usable HPKE context is incremented after each seal or open operation. This sequence number was stored as a u32 and used regular addition on u32 for the increment, meaning in release mode it would silently wrap around to 0 after 2^32 seal or open operations.

Impact

Nonce reuse causes catastrophic breakage of AEAD ciphers, enabling plaintext recovery attacks and authentication tag forgeries, depending on the concrete AEAD.

This bug impacts applications that use hpke-rs to encrypt a large number of messages using the same context. Applications using the one-shot APIs are unaffected.

Mitigation

Starting with version 0.6.0, checked_add is used to increment the sequence number, which avoids a silent wraparound in release mode. Additionally, the sequence number is now stored as a u64, increasing the maximally allowed number of seal and open operations on a given HPKE context.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / hpke-rs

Package

Name: hpke-rs; View open source insights on deps.dev
Purl: pkg:cargo/hpke-rs

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.6.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "arch": [],
        "functions": [
            "hpke_rs::Context::open",
            "hpke_rs::Context::seal"
        ],
        "os": []
    }
}