GHSA-hc3c-63hc-2r9f: libcrux: Potential Panic on Overlong Ciphertext Buffer

May 19, 2026

An application that passes in a ciphertext buffer of length greater than ptxt.len() + TAG_LEN to libcrux_chacha20poly1305::encrypt or libcrux_chacha20poly1305::xchacha20_poly1305::encrypt would experience a panic.

References

github.com/advisories/GHSA-hc3c-63hc-2r9f
github.com/cryspen/libcrux/pull/1386
rustsec.org/advisories/RUSTSEC-2026-0124.html

Code Behaviors & Features

Detect and mitigate GHSA-hc3c-63hc-2r9f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →