DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HC3C-63HC-2R9F: GHSA-HC3C-63HC-2R9F: Denial of Service via Uncaught Exception in libcrux-chacha20poly1305

#security #cve #cybersecurity #ghsa

GHSA-HC3C-63HC-2R9F: Denial of Service via Uncaught Exception in libcrux-chacha20poly1305

Vulnerability ID: GHSA-HC3C-63HC-2R9F
CVSS Score: 7.5
Published: 2026-05-19

The libcrux-chacha20poly1305 cryptographic crate contains a Denial of Service vulnerability triggered by providing an overlong ciphertext buffer during encryption. This flaw manifests as a runtime panic due to an improper slice conversion, allowing attackers to terminate the application if buffer sizes are user-influenced.

TL;DR

A missing length bound check in the libcrux-chacha20poly1305 encrypt function causes an unhandled panic when the provided destination buffer exceeds the required size. This leads to a Denial of Service via application termination.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-248, CWE-20
  • Attack Vector: Network / Local
  • CVSS Score: 7.5 (High)
  • Impact: Denial of Service (DoS)
  • Exploit Status: Proof of Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • Rust applications utilizing libcrux-chacha20poly1305 versions <= 0.0.7 for encryption tasks
  • libcrux-chacha20poly1305: <= 0.0.7 (Fixed in: 0.0.8)

Code Analysis

Commit: 1386

Fix panic on overlong ciphertext buffer in chacha20poly1305

--- a/crates/algorithms/chacha20poly1305/src/impl_hacl.rs
+++ b/crates/algorithms/chacha20poly1305/src/impl_hacl.rs
@@ -59,8 +59,9 @@ pub fn encrypt<'a>(
 ) -> Result<(&'a [u8], &'a [u8; TAG_LEN]), AeadError> {
     let (ptxt_len, aad_len) = encrypt_checks(ptxt, ctxt, aad, NOT_DETACHED)?;

-    // ensure destination slice has just the right length
-    let (ctxt_cpa, tag) = ctxt.split_at_mut(ptxt_len as usize);
+    let (ctxt_cpa, rest) = ctxt.split_at_mut(ptxt_len as usize);
+    // The ciphertext buffer may be longer than ptxt_len + TAG_LEN.
+    let (tag, _rest) = rest.split_at_mut(TAG_LEN);
     let tag: &mut [u8; TAG_LEN] = tag.try_into().unwrap();
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update the libcrux-chacha20poly1305 dependency to version 0.0.8 or newer
  • Manually truncate the ciphertext destination buffer to exactly plaintext length + 16 bytes before calling the encrypt function

Remediation Steps:

  1. Identify all projects utilizing the libcrux-chacha20poly1305 crate
  2. Modify Cargo.toml to enforce version requirements of 0.0.8 or higher
  3. Run cargo update -p libcrux-chacha20poly1305 to pull the latest patch
  4. Audit application source code for fixed-size buffer allocations passed to AEAD endpoints
  5. Recompile and deploy the updated application binaries

References

Read the full report for GHSA-HC3C-63HC-2R9F on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)