rustsec-2026-0071
Vulnerability from osv_rustsec
The sequence number that is used to compute the AEAD nonce when using
a re-usable HPKE context is incremented after each seal or open
operation. This sequence number was stored as a u32 and used regular
addition on u32 for the increment, meaning in release mode it would
silently wrap around to 0 after 2^32 seal or open operations.
Impact
Nonce reuse causes catastrophic breakage of AEAD ciphers, enabling plaintext recovery attacks and authentication tag forgeries, depending on the concrete AEAD.
This bug impacts applications that use hpke-rs to encrypt a large number of messages using the same context. Applications using the one-shot APIs are unaffected.
Mitigation
Starting with version 0.6.0, checked_add is used to increment the
sequence number, which avoids a silent wraparound in release
mode. Additionally, the sequence number is now stored as a u64,
increasing the maximally allowed number of seal and open operations on
a given HPKE context.
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"hpke_rs::Context::open",
"hpke_rs::Context::seal"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "hpke-rs",
"purl": "pkg:cargo/hpke-rs"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.6.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-g433-pq76-6cmf"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "The sequence number that is used to compute the AEAD nonce when using\na re-usable HPKE context is incremented after each seal or open\noperation. This sequence number was stored as a `u32` and used regular\naddition on `u32` for the increment, meaning in release mode it would\nsilently wrap around to 0 after 2^32 seal or open operations.\n\n## Impact\nNonce reuse causes catastrophic breakage of AEAD ciphers, enabling\nplaintext recovery attacks and authentication tag forgeries, depending\non the concrete AEAD.\n\nThis bug impacts applications that use hpke-rs to encrypt a large\nnumber of messages using the same context. Applications using the\none-shot APIs are unaffected.\n\n## Mitigation\nStarting with version `0.6.0`, `checked_add` is used to increment the\nsequence number, which avoids a silent wraparound in release\nmode. Additionally, the sequence number is now stored as a `u64`,\nincreasing the maximally allowed number of seal and open operations on\na given HPKE context.",
"id": "RUSTSEC-2026-0071",
"modified": "2026-03-24T08:16:07Z",
"published": "2026-02-05T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/hpke-rs"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0071.html"
},
{
"type": "WEB",
"url": "https://github.com/cryspen/hpke-rs/pull/123"
}
],
"related": [],
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nonce Reuse in HPKE Context"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.