GHSA-w9rp-wwm2-fwmrLowCVSS 9.8

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026...

Published
June 25, 2026
Last Modified
June 26, 2026

🔗 CVE IDs covered (1)

📋 Description

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

🔗 References (4)