OOB Read in X-Wing HPKE Decapsulation of swift-crypto v4.3.1
CVE-2026-28815 Published on April 3, 2026
A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.
Products Associated with CVE-2026-28815
Want to know whenever a new CVE is published for Apple macOS? stack.watch will email you.
Affected Versions
Apple macOS:- Version 4.0.0 and below 4.3.1 is affected.