Skip to main content

EUVDEUVD-2026-18570

| CVE-2026-28815 HIGH
Out-of-bounds Read (CWE-125)
2026-04-03 apple GHSA-9m44-rr2w-ppp7
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.3.1
EUVD ID Assigned
Apr 03, 2026 - 02:30 euvd
EUVD-2026-18570
Analysis Generated
Apr 03, 2026 - 02:30 vuln.today
CVE Published
Apr 03, 2026 - 01:32 nvd
HIGH 7.5

DescriptionCVE.org

A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.

AnalysisAI

Out-of-bounds read in Apple swift-crypto X-Wing HPKE decapsulation allows remote attackers to trigger memory disclosure or denial of service by supplying a malformed encapsulated key. The vulnerability affects swift-crypto versions prior to 4.3.1 and any macOS or downstream applications using vulnerable versions of the cryptographic library.

Technical ContextAI

Swift-crypto is Apple's cryptographic operations library providing HPKE (Hybrid Public Key Encryption) implementation. X-Wing is a post-quantum hybrid key encapsulation mechanism that combines classical and post-quantum algorithms. The vulnerability exists in the C language decapsulation path, where insufficient validation of the encapsulated key length allows an attacker to read beyond allocated buffer boundaries. This is a classic buffer over-read condition in low-level cryptographic code, enabling potential memory disclosure or crash depending on memory protections enforced by the runtime environment (ASLR, DEP, etc.).

RemediationAI

Vendor-released patch: swift-crypto version 4.3.1 and later. Applications and systems should upgrade to swift-crypto 4.3.1 or newer immediately. macOS users should ensure their systems are updated to the latest version, as Apple typically distributes cryptographic library fixes through system security updates. Developers using swift-crypto as a dependency should update their package dependency specifications to require version 4.3.1 or later. For detailed patch information and migration guidance, refer to the official Apple security advisory at https://github.com/apple/swift-crypto/security/advisories/GHSA-9m44-rr2w-ppp7.

Share

EUVD-2026-18570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy