Reported

February 8, 2026

Issued

February 25, 2026

Package

libcrux-psq (crates.io)

Type

Vulnerability

Aliases

• GHSA-435g-fcv3-8j26

References

• https://github.com/cryspen/libcrux/pull/1319

CVSS Score

8.2 HIGH

CVSS Details

Attack Complexity

Low

Attack Requirements

Present

Attack Vector

Network

Privileges Required

None

Availability Impact to the Subsequent System

None

Confidentiality Impact to the Subsequent System

None

Integrity Impact to the Subsequent System

None

User Interaction

None

Availability Impact to the Vulnerable System

High

Confidentiality Impact to the Vulnerable System

None

Integrity Impact to the Vulnerable System

None

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Patched

• >=0.0.7

Affected Functions

Version

libcrux_psq::Channel::read_message

• <=0.0.6

Description

The latest releases of the libcrux-psq crate contains the following bug-fix:

#1319: Propagate AEADError instead of panicking

The issue fixed in #1319 was first reported by Nadim Kobeissi.

Advisory available under CC0-1.0 license.