Publish GHSA-435g-fcv3-8j26

advisory-database[bot] · advisory-database[bot] · commit bbea8d4bb030 · 2026-02-27T20:53:30.000Z
diff --git a/advisories/github-reviewed/2026/02/GHSA-435g-fcv3-8j26/GHSA-435g-fcv3-8j26.json b/advisories/github-reviewed/2026/02/GHSA-435g-fcv3-8j26/GHSA-435g-fcv3-8j26.json
@@ -1,12 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-435g-fcv3-8j26",
-  "modified": "2026-02-12T22:12:14Z",
+  "modified": "2026-02-27T20:51:08Z",
   "published": "2026-02-12T22:12:14Z",
   "aliases": [],
   "summary": "Bug-Fixes in `libcrux-ecdh`, `libcrux-ed25519`, `libcrux-psq`",
   "details": "In accordance with our [security policy for `libcrux`](https://github.com/cryspen/libcrux/blob/main/SECURITY.md), we publish a GitHub security advisory for any releases whose CHANGELOG includes bug-fixes, and encourage our users to upgrade. The latest releases of the `libcrux-ecdh`, `libcrux-ed25519` and `libcrux-psq` crates contain the following bug-fixes:\n\n## `libcrux-ecdh`\n\n- [#1301](https://github.com/cryspen/libcrux/pull/1301): Check length and clamping in X25519 secret validation. This is a breaking change since errors are now raised on unclamped X25519 secrets or inputs of the wrong length\n\n## `libcrux-ed25519`\n\n- [#1320](https://github.com/cryspen/libcrux/pull/1320): Remove duplicated clamping step during key generation\n\nThe issue fixed in #1320 was first reported by Nadim Kobeissi.\n## `libcrux-psq`\n\n- [#1319](https://github.com/cryspen/libcrux/pull/1319): Propagate AEADError instead of panicking\n- [#1301](https://github.com/cryspen/libcrux/pull/1301): Fix broken clamping check for imported X25519 secret keys\n\nThe issue fixed in #1319 was first reported by Nadim Kobeissi.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -107,14 +112,30 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/cryspen/libcrux"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0023.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0024.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0025.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0026.html"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-20",
       "CWE-327"
     ],
-    "severity": "MODERATE",
+    "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-12T22:12:14Z",
     "nvd_published_at": null
