RustSec logo

HistoryEditJSON (OSV)

RUSTSEC-2026-0209

AES-GCM did not enforce limits on AAD length

Reported
Issued
Package
libcrux-aesgcm (crates.io)
Type
Vulnerability
Categories
References
CVSS Score
6.3 MEDIUM
CVSS Details
Attack Complexity
Low
Attack Requirements
Present
Attack Vector
Network
Privileges Required
None
Availability Impact to the Subsequent System
None
Confidentiality Impact to the Subsequent System
None
Integrity Impact to the Subsequent System
None
User Interaction
None
Availability Impact to the Vulnerable System
None
Confidentiality Impact to the Vulnerable System
None
Integrity Impact to the Vulnerable System
Low
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Patched
no patched versions
Affected Functions
Version
libcrux_aesgcm::AesGcm128Key::decrypt
  • <=0.0.8
libcrux_aesgcm::AesGcm128Key::encrypt
  • <=0.0.8
libcrux_aesgcm::AesGcm256Key::decrypt
  • <=0.0.8
libcrux_aesgcm::AesGcm256Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::AesGcm128::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::AesGcm128::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::KeyRef::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::KeyRef::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::NeonAesGcm128::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::NeonAesGcm128::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::KeyRef::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::PortableAesGcm128::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::PortableAesGcm128::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::KeyRef::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::X64AesGcm128::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::X64AesGcm128::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::AesGcm256::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::AesGcm256::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::KeyRef::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::KeyRef::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::NeonAesGcm256::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::NeonAesGcm256::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::KeyRef::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::PortableAesGcm256::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::PortableAesGcm256::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::Key::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::KeyRef::encrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::X64AesGcm256::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::X64AesGcm256::encrypt
  • <=0.0.8

Description

NIST Special Publication 800-38D specifies that the bit length of the AAD shall not exceed 2^64 - 1 bits. The implementation of AES-GCM in libcrux-aesgcm neither enforced this limit for encryption nor for decryption.

Impact

Use of AES-GCM with AAD of length exceeding the prescribed maximum length degrades the authentication security of the GCM tag.

Mitigation

Starting from version 0.0.9 (published as libcrux-aes@v0.0.9), limits on the length of the AAD input are enforced, so overlong AAD inputs result in an error on encryption and decryption.

Advisory available under CC0-1.0 license.