{"id":"CVE-2026-28815","details":"A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1.","aliases":["GHSA-9m44-rr2w-ppp7"],"modified":"2026-07-15T06:21:53.540809Z","published":"2026-04-03T03:16:18.093Z","references":[{"type":"EVIDENCE","url":"https://github.com/apple/swift-crypto/security/advisories/GHSA-9m44-rr2w-ppp7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apple/swift-crypto","events":[{"introduced":"bcd2b89f2a4446395830b82e4e192765edd71e18"},{"fixed":"bb4ba815dab96d4edc1e0b86d7b9acf9ff973a84"}],"database_specific":{"extracted_events":[{"introduced":"4.0.0"},{"fixed":"4.3.1"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:apple:swift-crypto:*:*:*:*:*:swift:*:*"}}],"versions":["4.3.0","4.2.0","4.1.0","4.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28815.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}