Full Report
Rust security maintainers contend Nadim Kobeissi's vulnerability claims are too much Since February, cryptographer Nadim Kobeissi has been trying to get code fixes applied to Rust cryptography libraries to address what he says are critical bugs. For his efforts, he's been dismissed, ignored, and banned from Rust security channels.…
Analysis Summary
# Vulnerability: Critical Cryptographic Flaws in Rust Cryptography Libraries (hpke-rs & libcrux)
## CVE Details
- **CVE ID:** Not yet assigned / Pending (The dispute centers on the refusal of RustSec to issue identifiers).
- **CVSS Score:** Estimated 9.1 - 10.0 (Researcher claim)
- **Severity:** Critical
- **CWE:** CWE-323 (Reusing a Nonce, Key Pair in Generic Crypto Operations), CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:**
- `hpke-rs` crate (Rust implementation of Hybrid Public Key Encryption)
- `libcrux` library (specifically `libcrux-ml-dsa`)
- **Versions:**
- `libcrux-ml-dsa` v0.0.3 and earlier.
- `hpke-rs` versions prior to February 2026 (specific versioning suppressed by vendor).
- **Configurations:** Systems utilizing these libraries for secure messaging, specifically mentioned as integrated or previously deployed in Signal, OpenMLS, Google, SSH, and the Linux kernel.
## Vulnerability Description
Researcher Nadim Kobeissi identified 13 claimed vulnerabilities across the Rust cryptography ecosystem. Two primary flaws are highlighted:
1. **Nonce-Reuse Vulnerability:** A flaw in the `hpke-rs` crate involving improper nonce management during encryption. If an attacker observes $2^{32}$ encryptions, the flaw enables full AES-GCM plaintext recovery and message forgery.
2. **Denial of Service (DoS):** A vulnerability leading to silent cryptographic failures or resource exhaustion, potentially crashing services relying on the library for secure handshakes.
The dispute involves the "high-assurance" nature of these libraries; the researcher claims that despite being "formally verified," the libraries contained implementation defects that bypassed verification logic.
## Exploitation
- **Status:** PoC available (Researcher has presented findings at OSTIF meetups; claims bugs were present in production environments).
- **Complexity:** Medium (Requires a high volume of traffic—$2^{32}$ encryptions—for the plaintext recovery exploit).
- **Attack Vector:** Network (Applicable to any communications protocol using the vulnerable crates for encryption).
## Impact
- **Confidentiality:** High (Total plaintext recovery possible).
- **Integrity:** High (Internal state compromise allows for message forgery).
- **Availability:** High (Denial of Service potential).
## Remediation
### Patches
- **libcrux:** Maintainers (Cryspen) report that bugs identified in pre-release software were addressed within a week of the February 2026 reports. Users should update to the latest crate versions.
- **hpke-rs:** Users are advised to check for recent crate updates, though formal RustSec advisories (which trigger `cargo audit` alerts) are currently absent due to the ongoing administrative dispute.
### Workarounds
- Transition to alternative verified implementations of HPKE (e.g., those in the `rust-crypto` or `ring` ecosystems) if the current supply chain risk is deemed too high given the lack of formal advisories.
## Detection
- **Indicators of Compromise:** High volumes of encrypted traffic to a single endpoint exceeding $2^{32}$ packets without a re-keying event.
- **Detection Methods:**
- Run `cargo audit` (Note: This may not currently flag the issue until the RustSec/Kobeissi dispute is resolved).
- Manual inspection of `Cargo.lock` files for `hpke-rs` and `libcrux` dependencies.
## References
- **Researcher Blog:** hxxps://symbolic[.]software/blog/2026-02-05-cryspen/
- **Vendor Response:** hxxps://cryspen[.]com/post/strengths-and-limitations/
- **Discussion Thread:** hxxps://github[.]com/cryspen/libcrux/issues/1220
- **Rust Foundation CoC:** hxxps://rustfoundation[.]org/policy/code-of-conduct