CVE-2026-45056
Sender-binding gaps in to-device messages
發布日:2026/6/4修改日:2026/6/4
描述
The matrix-sdk-crypto crate before 0.16.1 is missing a check for the sender's user ID when decrypting an Olm-encrypted to-device message containing the sender_device_keys property. This could be exploited to spoof the sender of an encrypted to-device message, but only if the attacker colludes with (or is) the homeserver operator.
受影響套件(2)
- crates.io/matrix-sdk-crypto>= 0.12.0, < 0.16.1
- crates.io/matrix-sdk-crypto>= 0.12.0, < 0.16.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
參考連結(6)
- PATCHhttps://crates.io/crates/matrix-sdk-crypto
- PATCHhttps://github.com/matrix-org/matrix-rust-sdk
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/pull/6553
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-0.16.1
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-wfq4-36m3-9g42
- WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0159.html