DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24785: The Sound of Silence: Breaking Clatter's Post-Quantum Promises (CVE-2026-24785)

#security #cve #cybersecurity

The Sound of Silence: Breaking Clatter's Post-Quantum Promises (CVE-2026-24785)

Vulnerability ID: CVE-2026-24785
CVSS Score: 8.0
Published: 2026-01-28

A critical protocol compliance failure in the Clatter Rust library allows attackers to decrypt Post-Quantum Noise sessions. By violating the Noise Protocol's PSK Validity Rule, specific handshake patterns fail to mix ephemeral entropy before encryption, leading to catastrophic key reuse.

TL;DR

Clatter < 2.2.0 implemented 'psk0' handshake patterns incorrectly. It used static Pre-Shared Keys to encrypt data before establishing ephemeral randomness. This turns a fancy Post-Quantum encryption tunnel into a static substitution cipher, allowing anyone with the PSK (or a reused stream) to decrypt the entire session.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-327
  • Attack Vector: Network
  • CVSS Score: 8.0 (High)
  • Impact: Confidentiality & Integrity Loss
  • EPSS Score: 0.00015
  • Vulnerability Type: Cryptographic Logic Error

Affected Systems

  • Rust applications using Clatter < 2.2.0
  • Embedded systems using Clatter with psk0 patterns
  • Post-Quantum VPN implementations using Clatter
  • Clatter: < 2.2.0 (Fixed in: 2.2.0)

Code Analysis

Commit: b65ae6e

Implementation of PSK validity rule and removal of non-compliant patterns

+ fn validate_psk_rule(...) -> Result<(), PatternError> {
+    // check if psk sent but no ephemeral key before encryption
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Exploitation involves capturing handshake packets and deriving keys using known PSK.

Mitigation Strategies

  • Upgrade Clatter to version 2.2.0 or later immediately.
  • Audit all usage of Noise Handshake Patterns in your codebase.
  • Discontinue use of psk0 variants (noise_pqkk_psk0, etc.).
  • Implement application-level checks to ensure ephemeral keys (e, ekem) are exchanged before sensitive data is sent.

Remediation Steps:

  1. Check Cargo.toml for clatter version.
  2. Run cargo update -p clatter to pull v2.2.0.
  3. If using custom patterns, verify against Noise Section 9.3.
  4. Re-compile and redeploy affected services.

References

Read the full report for CVE-2026-24785 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)