Platform
swift
Component
swift-crypto
Fixed in
4.3.1
CVE-2026-28815 describes an out-of-bounds read vulnerability discovered in Swift Crypto. An attacker can exploit this by providing a specially crafted, short X-Wing HPKE encapsulated key, leading to a potential crash or memory disclosure. This vulnerability affects versions 4.0.0 through 4.3.1 of Swift Crypto, and a fix is available in version 4.3.1.
The primary impact of CVE-2026-28815 is the potential for a crash or memory disclosure. While a crash might only result in service disruption, memory disclosure could allow an attacker to leak sensitive information from the application's memory space. The X-Wing HPKE encapsulation process is used for secure key exchange, so a successful exploit could compromise the confidentiality of data being protected. The severity of the memory disclosure depends on the runtime protections in place; however, even a crash can be disruptive and potentially used as a denial-of-service vector.
CVE-2026-28815 was publicly disclosed on 2026-04-03. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the nature of the vulnerability (out-of-bounds read in a cryptographic context), it is reasonable to assume that security researchers are actively investigating it.
Exploit Status
EPSS
0.04% (14% percentile)
The recommended mitigation for CVE-2026-28815 is to immediately upgrade to Swift Crypto version 4.3.1 or later. If upgrading is not immediately feasible, consider implementing runtime protections that can detect and prevent out-of-bounds memory accesses. While a direct workaround for the key crafting is unlikely, carefully validating the length and format of incoming HPKE encapsulated keys can provide a layer of defense. After upgrading, confirm the fix by attempting to decapsulate a short X-Wing HPKE key and verifying that no crash or memory disclosure occurs.
Update the swift-crypto library to version 4.3.1 or higher. This corrects the out-of-bounds read vulnerability that could lead to a crash or memory disclosure.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28815 is a vulnerability in Swift Crypto versions 4.0.0–4.3.1 where a short X-Wing HPKE key can trigger an out-of-bounds read, potentially causing a crash or memory disclosure.
If you are using Swift Crypto versions 4.0.0 through 4.3.1, you are potentially affected by this vulnerability. Upgrade to 4.3.1 or later to mitigate the risk.
The fix is to upgrade to Swift Crypto version 4.3.1 or a later version. This resolves the out-of-bounds read vulnerability.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is being actively investigated by security researchers.
Refer to the official Swift Crypto release notes and security advisories on the Swift website for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Package.swift file and we'll tell you instantly if you're affected.