Skip to content

Bug-Fixes in `libcrux-ecdh`, `libcrux-ed25519`, `libcrux-psq`

Moderate severity GitHub Reviewed Published Feb 12, 2026 in cryspen/libcrux • Updated Feb 12, 2026

Package

cargo libcrux-ecdh (Rust)

Affected versions

<= 0.0.5

Patched versions

0.0.6
cargo libcrux-ed25519 (Rust)
<= 0.0.5
0.0.6
cargo libcrux-psq (Rust)
<= 0.0.6
0.0.7

Description

In accordance with our security policy for libcrux, we publish a GitHub security advisory for any releases whose CHANGELOG includes bug-fixes, and encourage our users to upgrade. The latest releases of the libcrux-ecdh, libcrux-ed25519 and libcrux-psq crates contain the following bug-fixes:

libcrux-ecdh

  • #1301: Check length and clamping in X25519 secret validation. This is a breaking change since errors are now raised on unclamped X25519 secrets or inputs of the wrong length

libcrux-ed25519

  • #1320: Remove duplicated clamping step during key generation

The issue fixed in #1320 was first reported by Nadim Kobeissi.

libcrux-psq

  • #1319: Propagate AEADError instead of panicking
  • #1301: Fix broken clamping check for imported X25519 secret keys

The issue fixed in #1319 was first reported by Nadim Kobeissi.

References

@jschneider-bensch jschneider-bensch published to cryspen/libcrux Feb 12, 2026
Published to the GitHub Advisory Database Feb 12, 2026
Reviewed Feb 12, 2026
Last updated Feb 12, 2026

Severity

Moderate

EPSS score

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-435g-fcv3-8j26

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.