Skip to main content

Clatter CVE-2026-24785

CRITICAL
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-01-28 security-advisories@github.com GHSA-253q-9q78-63x4
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 27, 2026 - 21:39 nvd
Patch available
CVE Published
Jan 28, 2026 - 00:15 nvd
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 cargo packages depend on clatter (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.2.0.

DescriptionGitHub Advisory

Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Section 9.3). This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, weakening security guarantees and potentially allowing catastrophic key reuse. Affected default patterns include noise_pqkk_psk0, noise_pqkn_psk0, noise_pqnk_psk0, noise_pqnn_psk0, and some hybrid variants. Users of these patterns may have been using handshakes that do not meet the intended security properties. The issue is fully patched and released in Clatter v2.2.0. The fixed version includes runtime checks to detect offending handshake patterns. As a workaround, avoid using offending *_psk0` variants of post-quantum patterns. Review custom handshake patterns carefully.

AnalysisAI

Clatter Noise protocol library has a broken cryptographic algorithm implementation that weakens post-quantum security guarantees in encrypted communications.

Technical ContextAI

Clatter, a Rust implementation of the Noise protocol framework with post-quantum support, has a CWE-327 use of broken or risky cryptographic algorithm that undermines the security guarantees of encrypted communications.

RemediationAI

Update Clatter. Re-establish encrypted sessions with the fixed version. Assume previous sessions may be compromised.

Share

CVE-2026-24785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy