VYPR
Medium severity4.7NVD Advisory· Published Sep 22, 2023· Updated Jun 17, 2026

CVE-2023-42811

CVE-2023-42811

Description

aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the aes-gcm crate's decrypt_in_place* APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aes-gcmcrates.io
>= 0.10.0, < 0.10.30.10.3

Affected products

5

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.