Use of a Broken or Risky Cryptographic Algorithm in libcrux-ecdh

Q: How to fix?

Upgrade libcrux-ecdh to version 0.0.6 or higher.

Introduced: 12 Feb 2026

How to fix?

Upgrade libcrux-ecdh to version 0.0.6 or higher.

Overview

libcrux-ecdh is a This crate provides an API for performing elliptic curve Diffie-Hellman. Currently supported curves are Curve 25519 and NIST curve P256.

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via insufficient validation in the X25519 secret key handling and duplicated clamping during key generation. An attacker can cause incorrect cryptographic operations or trigger errors by providing malformed or improperly clamped secret keys.

References

GitHub Commit
GitHub Commit
GitHub Commit
GitHub PR
GitHub PR
GitHub PR

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Use of a Broken or Risky Cryptographic Algorithm Affecting libcrux-ecdh package, versions <0.0.6

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 12 Feb 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk