CVE-2026-24785: Clatter has a PSK Validity Rule Violation issue

January 28, 2026

Protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Section 9.3). This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, weakening security guarantees and potentially allowing catastrophic key reuse.

Affected default patterns include noise_pqkk_psk0, noise_pqkn_psk0, noise_pqnk_psk0, noise_pqnn_psk0, and some hybrid variants. Users of these patterns may have been using handshakes that do not meet the intended security properties.

References

github.com/advisories/GHSA-253q-9q78-63x4
github.com/jmlepisto/clatter
github.com/jmlepisto/clatter/commit/b65ae6e9b8019bed5407771e21f89ddff17c5a71
github.com/jmlepisto/clatter/security/advisories/GHSA-253q-9q78-63x4
noiseprotocol.org/noise.html
nvd.nist.gov/vuln/detail/CVE-2026-24785

Code Behaviors & Features

Detect and mitigate CVE-2026-24785 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →