CVE-2026-28815

High CVSS: 7.5

A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.

Vendor

Product

CWE

CWE-125

Yayın Tarihi

2026-04-03 03:16:18

Güncelleme

2026-04-03 16:10:23

Source Identifier

product-security@apple.com

KEV Date Added

Kategoriler

CWE-125 HIGH 2026

Referanslar

https://github.com/apple/swift-crypto/security/advisories/GHSA-9m44-rr2w-ppp7