CVE-2024-58265: Unauthenticated Nonce Increment in snow

January 24, 2024 (updated July 28, 2025)

There was a logic bug where unauthenticated payloads could still cause a nonce increment in snow’s internal state. For an attacker with the ability to inject packets into the channel Noise is talking over, this allows a denial-of-service type attack which could prevent communication as it causes the sending and receiving side to be expecting different nonce values than would arrive.

Note that this only affects those who are using the stateful TransportState, not those using StatelessTransportState.

References

github.com/advisories/GHSA-7g9j-g5jg-3vv3
github.com/mcginty/snow
github.com/mcginty/snow/commit/12e8ae55547ae297d5f70599e5c884ea891303eb
github.com/mcginty/snow/security/advisories/GHSA-7g9j-g5jg-3vv3
nvd.nist.gov/vuln/detail/CVE-2024-58265
rustsec.org/advisories/RUSTSEC-2024-0011.html

Code Behaviors & Features

Detect and mitigate CVE-2024-58265 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →