GHSA-w9rp-wwm2-fwmr
A use-after-free vulnerability exists in the post-quantum cryptography (PQC) hybrid key-share handling of a TLS 1.3 implementation. This issue is a follow-up to CVE-2026-5460 and occurs when a malicious TLS 1.3 server sends a truncated PQC hybrid KeyShare, triggering an error cleanup path that operates on freed memory. The vulnerability is classified as low severity.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-7531) is a use-after-free condition in the handling of PQC hybrid key-shares during TLS 1.3 handshake processing. It is an incomplete fix following CVE-2026-5460, where a malicious TLS 1.3 server can send a truncated PQC hybrid KeyShare to trigger cleanup code that accesses memory after it has been freed. This could potentially lead to memory corruption. No exploits are known in the wild, and no patch or remediation details are provided in the available data.
Potential Impact
The vulnerability could allow a malicious TLS 1.3 server to cause a use-after-free condition in the client during PQC hybrid key-share processing, potentially leading to memory corruption. However, the severity is assessed as low, and no known exploits have been reported. The impact is limited to the error cleanup path triggered by a truncated key-share message.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch information is provided in the available data. Until a patch is available, cautious handling of TLS 1.3 PQC hybrid key-shares and monitoring vendor communications is recommended.
GHSA-w9rp-wwm2-fwmr
Description
A use-after-free vulnerability exists in the post-quantum cryptography (PQC) hybrid key-share handling of a TLS 1.3 implementation. This issue is a follow-up to CVE-2026-5460 and occurs when a malicious TLS 1.3 server sends a truncated PQC hybrid KeyShare, triggering an error cleanup path that operates on freed memory. The vulnerability is classified as low severity.
CVSS v4.0
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-7531) is a use-after-free condition in the handling of PQC hybrid key-shares during TLS 1.3 handshake processing. It is an incomplete fix following CVE-2026-5460, where a malicious TLS 1.3 server can send a truncated PQC hybrid KeyShare to trigger cleanup code that accesses memory after it has been freed. This could potentially lead to memory corruption. No exploits are known in the wild, and no patch or remediation details are provided in the available data.
Potential Impact
The vulnerability could allow a malicious TLS 1.3 server to cause a use-after-free condition in the client during PQC hybrid key-share processing, potentially leading to memory corruption. However, the severity is assessed as low, and no known exploits have been reported. The impact is limited to the error cleanup path triggered by a truncated key-share message.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch information is provided in the available data. Until a patch is available, cautious handling of TLS 1.3 PQC hybrid key-shares and monitoring vendor communications is recommended.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-w9rp-wwm2-fwmr
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-7531"]
- Ecosystems
- []
- Database Specific Severity
- LOW
- Cvss Version
- 4.0
Threat ID: 6a3ef79027e9c79719ff6e5e
Added to database: 06/26/2026, 22:05:04 UTC
Last enriched: 06/26/2026, 22:17:07 UTC
Last updated: 06/27/2026, 01:11:16 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.