Moderate severityNVD Advisory· Published Sep 22, 2023· Updated Jun 18, 2025

AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure

CVE-2023-42811

Description

aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the aes-gcm crate's decrypt_in_place* APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AES-GCM crate in Rust exposes decrypted plaintext on tag verification failure, enabling Chosen Ciphertext Attacks.

Vulnerability

Description The AES-GCM implementation in the aes-gcm Rust crate (versions 0.10.0 to 0.10.2) suffers from a critical flaw in the decrypt_in_place_detached function. When tag verification fails, the decrypted ciphertext (i.e., plaintext) remains in the buffer instead of being cleared before returning an error [1][3]. This contradicts the NIST GCM specification, which states that plaintext should only be returned if the tag matches [4].

Exploitation

An attacker who can provide a manipulated ciphertext to an application using this API can trigger a failed decryption. If the application then accesses the buffer (e.g., for error handling or logging), the unauthenticated plaintext is exposed. This requires the attacker to have the ability to inject or control the ciphertext input, typically over a network or via file upload [2].

Impact

Exposure of the decrypted data enables Chosen Ciphertext Attacks (CCAs), potentially allowing full recovery of the plaintext. This undermines the integrity guarantees of AES-GCM, as an attacker can iteratively modify ciphertexts and observe the 'decrypted' output to extract secrets [3][4]. The impact is severe in scenarios requiring authenticated encryption, such as secure communications or data storage.

Mitigation

The issue is fixed in version 0.10.3 of the aes-gcm crate [3]. Users should update immediately. As a workaround, applications must ensure that after a decryption failure, the buffer is not used; however, relying on this is error-prone. No known evidence of active exploitation has been reported as of the advisory date [2].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
aes-gcmcrates.io	>= 0.10.0, < 0.10.3	0.10.3

Affected products

ghsa-coords4 versions
pkg:cargo/aes-gcm pkg:rpm/opensuse/rage-encryption&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/shadowsocks-rust&distro=openSUSE%20Tumbleweed pkg:rpm/suse/rage-encryption&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5
>= 0.10.0, < 0.10.3+ 3 more
- (no CPE)range: >= 0.10.0, < 0.10.3
- (no CPE)range: < 0.9.2+0-150500.3.3.1
- (no CPE)range: < 1.16.2-1.1
- (no CPE)range: < 0.9.2+0-150500.3.3.1
Rustcrypto/Aeadscpe-rescue
Range: >= 0.10.0, < 0.10.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000