CVE-2026-24785 – Clatter versions before 2.2.0 have a protocol c... (How to Fix)

📋 TL;DR

Clatter versions before 2.2.0 have a protocol compliance vulnerability where post-quantum handshake patterns violate the PSK validity rule, allowing PSK-derived keys to be used without proper randomization. This weakens security guarantees and could lead to catastrophic key reuse. Users of affected post-quantum patterns with PSK are impacted.

💻 Affected Systems

Products:

Clatter (Rust Noise protocol implementation)

Versions: All versions prior to 2.2.0

Operating Systems: All platforms using Rust

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users of specific post-quantum handshake patterns with PSK: noise_pqkk_psk0, noise_pqkn_psk0, noise_pqnk_psk0, noise_pqnn_psk0, and hybrid variants

📦 What is this software?

Clatter by Jmlepisto

View all CVEs affecting Clatter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Catastrophic key reuse leading to complete compromise of encrypted communications, potentially allowing decryption of past and future sessions

🟠

Likely Case

Weakened cryptographic security that could enable sophisticated attackers to compromise specific sessions

🟢

If Mitigated

Minimal impact if proper network segmentation and monitoring are in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires sophisticated cryptographic attacks and knowledge of specific handshake patterns in use

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0

Vendor Advisory: https://github.com/jmlepisto/clatter/security/advisories/GHSA-253q-9q78-63x4

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require clatter >=2.2.0
2. Run 'cargo update --package clatter'
3. Rebuild and redeploy applications using Clatter
4. Restart affected services

🔧 Temporary Workarounds

Avoid vulnerable patterns

all

Stop using affected *_psk0 variants of post-quantum handshake patterns

Modify application code to use non-PSK patterns or different handshake configurations

🧯 If You Can't Patch

Review and modify all custom handshake patterns to ensure PSK validity rule compliance
Implement additional network monitoring for unusual cryptographic handshake patterns

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for clatter version <2.2.0 and verify if application uses affected *_psk0 patterns

Check Version:

grep -A2 -B2 'clatter' Cargo.toml && grep 'clatter' Cargo.lock | head -5

Verify Fix Applied:

Confirm clatter version >=2.2.0 in Cargo.lock and verify runtime checks are enabled

📡 Detection & Monitoring

Log Indicators:

Runtime warnings about PSK validity rule violations (if logging enabled in Clatter 2.2.0+)

Network Indicators:

Unusual handshake patterns matching affected *_psk0 variants

SIEM Query:

Not applicable - cryptographic library issue without standard network signatures

📊 Metadata

CVE ID: CVE-2026-24785

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-327

EPSS Score: 0.01% exploit probability (1.7th percentile)

Published: January 28, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/jmlepisto/clatter/commit/b65ae6e9b8019bed5407771e21f89ddff17c5a71 Patch
https://github.com/jmlepisto/clatter/security/advisories/GHSA-253q-9q78-63x4 Mitigation,Vendor Advisory
https://noiseprotocol.org/noise.html#validity-rule Technical Description

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24785, you might also want to check these: