CVE-2024-58265 – snow

Package

Manager: cargo
Name: snow
Vulnerable Version: >=0 <0.9.5

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0005 pctl0.15007

Details

Unauthenticated Nonce Increment in snow ### Impact There was a logic bug where unauthenticated payloads could still cause a nonce increment in snow's internal state. For an attacker with the ability to inject packets into the channel Noise is talking over, this allows a denial-of-service type attack which could prevent communication as it causes the sending and receiving side to be expecting different nonce values than would arrive. Note that this only affects those who are using the stateful `TransportState`, not those using `StatelessTransportState`. ### Patches This has been patched in version 0.9.5, and all users are recommended to update. ### References There will be a more formal report of this in the near future.

Metadata

Created: 2024-01-24T20:53:48Z
Modified: 2025-07-28T15:56:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-7g9j-g5jg-3vv3/GHSA-7g9j-g5jg-3vv3.json
CWE IDs: ["CWE-440"]
Alternative ID: GHSA-7g9j-g5jg-3vv3
Finding: F014
Auto approve: 1