Integer Overflow or Wraparound Affecting hpke-rs-rust-crypto package, versions <0.6.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Integer Overflow or Wraparound vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUST-HPKERSRUSTCRYPTO-15285652
- published16 Feb 2026
- disclosed13 Feb 2026
- creditNadim Kobeissi
Introduced: 13 Feb 2026
New CVE NOT AVAILABLE CWE-190 (opens in a new tab)How to fix?
Upgrade hpke-rs-rust-crypto to version 0.6.0 or higher.
Overview
hpke-rs-rust-crypto is an implementation of the HpkeCrypto trait using native Rust crypto implementations (hkdf, sha2, p256, k256, p384, x25519-dalek, chacha20poly1305, aes-gcm).
Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to the unchecked sequence number increment in the Context encryption/decryption routines in src/lib.rs. An attacker can cause nonce reuse and compromise AEAD confidentiality and integrity by triggering a wraparound of the 32-bit context counter past its maximum value.