{"id":"RUSTSEC-2024-0011","summary":"Unauthenticated Nonce Increment in snow","details":"There was a logic bug where unauthenticated payloads could still cause a nonce\nincrement in snow's internal state. For an attacker with privileges to inject\npackets into the channel over which the Noise session operates, this could\nallow a denial-of-service attack which could prevent message delivery by\nsending garbage data.\n\nNote that this only affects those who are using the stateful TransportState,\nnot those using StatelessTransportState.\n\nThis has been patched in version 0.9.5, and all users are recommended to\nupdate.","aliases":["CVE-2024-58265","GHSA-7g9j-g5jg-3vv3"],"modified":"2025-10-28T06:02:18Z","published":"2024-01-23T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/snow"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0011.html"},{"type":"ADVISORY","url":"https://github.com/mcginty/snow/security/advisories/GHSA-7g9j-g5jg-3vv3"}],"affected":[{"package":{"name":"snow","ecosystem":"crates.io","purl":"pkg:cargo/snow"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.9.5"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"functions":[],"arch":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0011.json","informational":null,"cvss":null,"categories":["crypto-failure","denial-of-service"]}}],"schema_version":"1.7.3"}