CVE-2026-28815

Name of the Vulnerable Software and Affected Versions swift-crypto versions 4.3.0 and earlier

Description A remote attacker can provide a short X-Wing HPKE encapsulated key, triggering an out-of-bounds read in the C decapsulation path. This can lead to a crash or memory disclosure, depending on runtime protections. The issue arises because the X-Wing decapsulation path accepts attacker-controlled ciphertext bytes without enforcing a fixed ciphertext length. The C API expects a fixed-size buffer of 1120 bytes, and a shorter Data value passed to it can cause the C code to read beyond the Swift buffer. The vulnerability is reachable through initialization of an HPKE.Recipient, where a malformed encapsulatedKey can trigger undefined behavior instead of a safe length-validation error. The decapsulate function of OpenSSLXWingPrivateKeyImpl does not perform a length check before passing the encapsulated data to the C API. A Proof of Concept (PoC) demonstrates that providing a 1-byte encapsulatedKey instead of the required 1120 bytes does not result in rejection, and can lead to a crash or memory corruption when run with AddressSanitizer.

Recommendations Update to swift-crypto version 4.3.1 or later.