Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-24785

Clatter has a PSK Validity Rule Violation issue
Back to all
CVE

CVE-2026-24785

Clatter has a PSK Validity Rule Violation issue

Impact

Protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Section 9.3). This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, weakening security guarantees and potentially allowing catastrophic key reuse.

Affected default patterns include noisepqkkpsk0noisepqknpsk0noisepqnkpsk0noisepqnnpsk0, and some hybrid variants. Users of these patterns may have been using handshakes that do not meet the intended security properties.

Patches

The issue is fully patched and released in Clatter v2.2.0. The fixed version includes runtime checks to detect offending handshake patterns.

Workarounds

Avoid using offending *_psk0 variants of post-quantum patterns. Review custom handshake patterns carefully.

Resources

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/jmlepisto/clatter/security/advisories/GHSA-253q-9q78-63x4, https://nvd.nist.gov/vuln/detail/CVE-2026-24785, https://github.com/jmlepisto/clatter/commit/b65ae6e9b8019bed5407771e21f89ddff17c5a71, https://github.com/jmlepisto/clatter, https://noiseprotocol.org/noise.html#validity-rule

Severity

9.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.1
EPSS Probability
0.00011%
EPSS Percentile
0.01324%
Introduced Version
0
Fix Available
2.2.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading