CVE-2026-28815
Out-of-Bounds Read in Swift-Crypto HPKE Causes Crash, Data Leak
Publication date: 2026-04-03
Last updated on: 2026-04-13
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | swift-crypto | From 4.0.0 (inc) to 4.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Apple Swift Crypto library to version 4.3.1 or later, where the vulnerability is fixed by adding proper length validation before passing encapsulated ciphertext to the C API.
Avoid using vulnerable versions (4.0.0 to 4.3.0) of the Swift Crypto library in your environment until the update is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the behavior of the HPKE.Recipient initialization in the Apple Swift Crypto library when supplied with encapsulated keys of incorrect length.
A proof of concept involves passing a deliberately short encapsulated key (e.g., 1 byte instead of the required 1120 bytes) to the decapsulation function and observing if it triggers an out-of-bounds read or crash.
Running the vulnerable code with AddressSanitizer enabled can help detect dynamic stack buffer overflow reads caused by this issue.
- Use a test case that initializes an HPKE.Recipient with a malformed encapsulated key shorter than 1120 bytes.
- Run the application or test with AddressSanitizer or similar memory safety tools to detect out-of-bounds reads or crashes.
Can you explain this vulnerability to me?
CVE-2026-28815 is a memory safety vulnerability in the Apple Swift Crypto library's X-Wing HPKE decapsulation implementation. The issue occurs because the decapsulation function accepts an attacker-controlled encapsulated ciphertext of arbitrary length without checking that it is exactly 1120 bytes as required.
The vulnerable function forwards this input directly to a C API that expects a fixed-size buffer of 1120 bytes. If a shorter input is provided, the C code reads beyond the buffer boundary, causing an out-of-bounds read.
This can lead to crashes or potential memory disclosure depending on runtime protections. The flaw is exploitable when initializing an HPKE.Recipient object with a malformed encapsulated key.
The vulnerability is fixed in Swift Crypto version 4.3.1 by adding proper length validation before passing data to the C API.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to supply a malformed, short encapsulated key that triggers an out-of-bounds read in the C decapsulation code.
The impact can include application crashes or potential memory disclosure, which might expose sensitive information depending on the runtime environment's protections.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.