RUSTSEC-2026-0209
AES-GCM did not enforce limits on AAD length
Details
NIST Special Publication 800-38D specifies that the bit length of the AAD shall not exceed `2^64 - 1` bits. The implementation of AES-GCM in `libcrux-aesgcm` neither enforced this limit for encryption nor for decryption.
## Impact Use of AES-GCM with AAD of length exceeding the prescribed maximum length degrades the authentication security of the GCM tag.
## Mitigation Starting from version `0.0.9` (published as `libcrux-aes@v0.0.9`), limits on the length of the AAD input are enforced, so overlong AAD inputs result in an error on encryption and decryption.
Are you affected?
Enter the version of the package you're using.
Affected packages
0.0.0-0 No fixed version published yet for libcrux-aesgcm. Pin to a known-safe version or switch to an alternative.