CVE-2026-24785

Name of the Vulnerable Software and Affected Versions Clatter versions prior to 2.2.0

Description Clatter, a Rust implementation of the Noise protocol framework with post-quantum support, contains a protocol compliance issue. The library permitted post-quantum handshake patterns that did not adhere to the PSK validity rule as defined in the Noise Protocol Framework Section 9.3. This could enable the use of PSK-derived keys for encryption without sufficient randomization through self-chosen ephemeral randomness, potentially leading to catastrophic key reuse and weakened security. Affected default patterns include noise pqkk psk0, noise pqkn psk0, noise pqnk psk0, and noise pqnn psk0, as well as some hybrid variants.

Recommendations Update to Clatter version 2.2.0 or later. Avoid using the * psk0 variants of post-quantum patterns. Carefully review custom handshake patterns.