Medium severity5.3NVD Advisory· Published May 9, 2025· Updated Apr 15, 2026

CVE-2025-4432

Description

A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ringcrates.io	< 0.17.12	0.17.12

Patches

ec2d3cf1d91f

aes: Avoid unwanted overflow check when using u32::MAX as the counter.

https://github.com/briansmith/ringBrian SmithMar 5, 2025via ghsa

commit PR #2447

3 files changed · +17 −1

src/aead/aes.rs+1 −1 modified

@@ -154,7 +154,7 @@ impl Counter {
     pub(super) fn increment_by_less_safe(&mut self, increment_by: NonZeroU32) {
         let [.., c0, c1, c2, c3] = &mut self.0;
         let old_value: u32 = u32::from_be_bytes([*c0, *c1, *c2, *c3]);
-        let new_value = old_value + increment_by.get();
+        let new_value = old_value.wrapping_add(increment_by.get());
         [*c0, *c1, *c2, *c3] = u32::to_be_bytes(new_value);
     }
 }

tests/quic_aes_128_tests.txt+8 −0 modified

@@ -1,3 +1,11 @@
 KEY = e8904ecc2e37a6e4cc02271e319c804b
 SAMPLE = 13484ec85dc4d36349697c7d4ea1a159
 MASK = 67387ebf3a
+
+KEY = e8904ecc2e37a6e4cc02271e319c804b
+SAMPLE = 00000000000000000000000fffffffff
+MASK = feb191f8af
+
+KEY = e8904ecc2e37a6e4cc02271e319c804b
+SAMPLE = 000000000000000fffffffffffffffff
+MASK = 6f23441ee8

tests/quic_aes_256_tests.txt+8 −0 modified

@@ -1,3 +1,11 @@
 KEY = 85af7213814aec7b92ace6284a906643912ec8853d00d158a927b8697c7ff585
 SAMPLE = 82a0db90f4cee12fa4afeddb74396cf6
 MASK = 670897adf5
+
+KEY = 85af7213814aec7b92ace6284a906643912ec8853d00d158a927b8697c7ff585
+SAMPLE = 000000000000000000000000ffffffff
+MASK = b77a18bb3f
+
+KEY = 85af7213814aec7b92ace6284a906643912ec8853d00d158a927b8697c7ff585
+SAMPLE = 000000000000000fffffffffffffffff
+MASK = 4aadd3cbef

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4p46-pwfr-66x6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-4432ghsaADVISORY
access.redhat.com/security/cve/CVE-2025-4432nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB
github.com/briansmith/ring/blob/main/RELEASES.mdnvdWEB
github.com/briansmith/ring/commit/ec2d3cf1d91f148c84e4806b4f0b3c98f6df3b38nvdWEB
github.com/briansmith/ring/pull/2447nvdWEB
rustsec.org/advisories/RUSTSEC-2025-0009.htmlnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000