Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.
AnalysisAI
Out-of-bounds read in Apple swift-crypto X-Wing HPKE decapsulation allows remote attackers to trigger memory disclosure or denial of service by supplying a malformed encapsulated key. The vulnerability affects swift-crypto versions prior to 4.3.1 and any macOS or downstream applications using vulnerable versions of the cryptographic library.
Technical ContextAI
Swift-crypto is Apple's cryptographic operations library providing HPKE (Hybrid Public Key Encryption) implementation. X-Wing is a post-quantum hybrid key encapsulation mechanism that combines classical and post-quantum algorithms. The vulnerability exists in the C language decapsulation path, where insufficient validation of the encapsulated key length allows an attacker to read beyond allocated buffer boundaries. This is a classic buffer over-read condition in low-level cryptographic code, enabling potential memory disclosure or crash depending on memory protections enforced by the runtime environment (ASLR, DEP, etc.).
RemediationAI
Vendor-released patch: swift-crypto version 4.3.1 and later. Applications and systems should upgrade to swift-crypto 4.3.1 or newer immediately. macOS users should ensure their systems are updated to the latest version, as Apple typically distributes cryptographic library fixes through system security updates. Developers using swift-crypto as a dependency should update their package dependency specifications to require version 4.3.1 or later. For detailed patch information and migration guidance, refer to the official Apple security advisory at https://github.com/apple/swift-crypto/security/advisories/GHSA-9m44-rr2w-ppp7.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18570
GHSA-9m44-rr2w-ppp7