{"ecosystem":"cargo","package":"ring","version":null,"bugs":[{"id":896,"ecosystem":"cargo","package_name":"ring","affected_version":"0.0.0-0","fixed_version":"0.17.0","bug_id":"osv:RUSTSEC-2025-0010","title":"Versions of *ring* prior to 0.17 are unmaintained.","description":"*ring* 0.16.20 was released over 4 years ago and isn't maintained, tested, etc.\n\nAdditionally, the project's general policy is to only patch the latest release,\nwhich is 0.17.12 now. It will be difficult for anybody to backport future fixes\nto versions earlier than 0.17.10 due to license changes.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/ring","labels":[],"created_at":"2026-04-19T04:32:06.467035+00:00","updated_at":"2026-04-19T04:32:06.467035+00:00"},{"id":895,"ecosystem":"cargo","package_name":"ring","affected_version":"0.0.0-0","fixed_version":"0.17.12","bug_id":"osv:RUSTSEC-2025-0009","title":"Some AES functions may panic when overflow checking is enabled.","description":"`ring::aead::quic::HeaderProtectionKey::new_mask()` may panic when overflow\nchecking is enabled. In the QUIC protocol, an attacker can induce this panic by\nsending a specially-crafted packet. Even unintentionally it is likely to occur\nin 1 out of every 2**32 packets sent and/or received.\n\nOn 64-bit targets operations using `ring::aead::{AES_128_GCM, AES_256_GCM}` may\npanic when overflow checking is enabled, when encrypting/decrypting approximately\n68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols\nlike TLS and SSH are not affected by this because those protocols break large\namounts of data into small chunks. Similarly, most applications will not\nattempt to encrypt/decrypt 64GB of data in one chunk.\n\nOverflow checking is not enabled in release mode by default, but\n`RUSTFLAGS=\"-C overflow-checks\"` or `overflow-checks = true` in the Cargo.toml\nprofile can override this. Overflow checking is usually enabled by default in\ndebug mode.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/ring","labels":["CVE-2025-4432","GHSA-4p46-pwfr-66x6","GHSA-c86p-w88r-qvqr","GO-2025-3678"],"created_at":"2026-04-19T04:32:06.466380+00:00","updated_at":"2026-04-19T04:32:06.466380+00:00"},{"id":894,"ecosystem":"cargo","package_name":"ring","affected_version":null,"fixed_version":"0.17.12","bug_id":"osv:GHSA-4p46-pwfr-66x6","title":"Some AES functions may panic when overflow checking is enabled in ring","description":"`ring::aead::quic::HeaderProtectionKey::new_mask()` may panic when overflow checking is enabled. In the QUIC protocol, an attacker can induce this panic by sending a specially-crafted packet. Even unintentionally it is likely to occur in 1 out of every 2**32 packets sent and/or received.\n\nOn 64-bit targets operations using `ring::aead::{AES_128_GCM, AES_256_GCM}` may panic when overflow checking is enabled, when encrypting/decrypting approximately 68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols like TLS and SSH are not affected by this because those protocols break large amounts of data into small chunks. Similarly, most applications will not attempt to encrypt/decrypt 64GB of data in one chunk.\n\nOverflow checking is not enabled in release mode by default, but `RUSTFLAGS=\"-C overflow-checks\"` or `overflow-checks = true` in the Cargo.toml profile can override this. Overflow checking is usually enabled by default in debug mode.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4432","labels":["CVE-2025-4432","GHSA-c86p-w88r-qvqr","GO-2025-3678","RUSTSEC-2025-0009"],"created_at":"2026-04-19T04:32:06.465357+00:00","updated_at":"2026-04-19T04:32:06.465357+00:00"}],"total":3,"_cache":"miss"}