CVE-2024-58265: 
Rust vulnerability analysis and mitigation

The vulnerability (CVE-2024-58265) affects the snow crate versions before 0.9.5 for Rust programming language. The issue specifically impacts implementations using stateful TransportState, where there is a logic bug that allows incrementing a nonce and thereby denying message delivery. The vulnerability was discovered and disclosed in January 2024, with a patch released in version 0.9.5 (GitHub Advisory, RustSec Advisory).

The vulnerability stems from a logic bug where unauthenticated payloads could trigger a nonce increment in snow's internal state. This affects only implementations using the stateful TransportState component, while implementations using StatelessTransportState remain unaffected. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L by NIST NVD (NVD Database).

When exploited, the vulnerability can cause a denial-of-service condition by preventing message delivery between communicating parties. This occurs because the attack causes the sending and receiving sides to expect different nonce values than what would actually arrive, effectively disrupting the communication channel (GitHub Advisory, RustSec Advisory).

The vulnerability has been patched in snow crate version 0.9.5. All users are strongly recommended to update to this version or later. For those unable to update immediately, using StatelessTransportState instead of stateful TransportState can serve as a workaround, as this component is not affected by the vulnerability (GitHub Advisory, RustSec Advisory).