The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24785

CVE-2026-24785: Clatter Information Disclosure Vulnerability

CVE-2026-24785 is an information disclosure vulnerability in Clatter's Noise protocol implementation that violates PSK validity rules, potentially allowing key reuse. This post covers technical details, affected versions, and patches.

Published: January 30, 2026

CVE-2026-24785 Overview

CVE-2026-24785 is a cryptographic vulnerability in Clatter, a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versions prior to 2.2.0 contain a protocol compliance flaw where the library allowed post-quantum handshake patterns that violated the PSK validity rule defined in Section 9.3 of the Noise Protocol Framework specification. This vulnerability could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, significantly weakening security guarantees and potentially enabling catastrophic key reuse scenarios.

Critical Impact

Improper PSK handling in post-quantum handshake patterns could lead to weakened cryptographic security and potential key reuse, undermining the confidentiality guarantees of encrypted communications.

Affected Products

  • Clatter versions prior to 2.2.0
  • Affected default patterns: noise_pqkk_psk0, noise_pqkn_psk0, noise_pqnk_psk0, noise_pqnn_psk0
  • Some hybrid pattern variants using *_psk0 configurations

Discovery Timeline

  • 2026-01-28 - CVE-2026-24785 published to NVD
  • 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-24785

Vulnerability Analysis

This vulnerability stems from improper implementation of the Noise Protocol Framework's validity rules for Pre-Shared Key (PSK) handshake patterns. The Noise Protocol Framework specification explicitly defines validity constraints in Section 9.3 to ensure cryptographic operations maintain their intended security properties. In the affected versions of Clatter, post-quantum handshake patterns with PSK at position 0 (designated as *_psk0 patterns) were permitted despite violating these validity rules.

When a PSK is positioned at psk0 in these post-quantum patterns, the key derivation occurs before any ephemeral randomness is mixed into the handshake state. This creates a dangerous scenario where the derived encryption keys lack proper randomization, making them deterministic based solely on the PSK. An attacker exploiting this weakness could potentially predict or manipulate the derived keys, leading to catastrophic key reuse across multiple sessions.

Root Cause

The root cause is a broken cryptography issue (CWE-327) where the library's pattern validation logic failed to enforce the PSK validity rules specified by the Noise Protocol Framework. Specifically, the implementation allowed psk0 positions in post-quantum handshake patterns where the first message token is not an ephemeral key exchange (e or ee). Without ephemeral randomness preceding the PSK mixing, the cryptographic guarantees of the protocol are fundamentally compromised.

Attack Vector

The vulnerability is exploitable over a network by any party that can initiate or participate in a Noise protocol handshake using the affected patterns. An attacker does not require authentication or user interaction to exploit this vulnerability. The attack could proceed as follows:

  1. Attacker identifies a target application using Clatter with an affected *_psk0 post-quantum pattern
  2. Attacker engages in multiple handshakes with the target
  3. Due to the lack of proper ephemeral randomization, derived keys become predictable
  4. Attacker leverages key predictability to decrypt captured communications or impersonate parties

The following patch shows the removal of the vulnerable *_psk0 patterns from the library:

rust
         noise_pqin_psk1(),
         noise_pqin_psk2(),
         noise_pqix_psk2(),
-        noise_pqkk_psk0(),
         noise_pqkk_psk2(),
-        noise_pqkn_psk0(),
         noise_pqkn_psk2(),
         noise_pqkx_psk2(),
-        noise_pqnk_psk0(),
         noise_pqnk_psk2(),
-        noise_pqnn_psk0(),
         noise_pqnn_psk2(),
         noise_pqnx_psk2(),
         noise_pqxk_psk3(),

Source: GitHub Commit Changes

The fix also introduces proper error handling for invalid patterns:

rust
     Cipher(#[from] CipherError),
     /// Transport error: {0}
     Transport(#[from] TransportError),
+    /// Handshake pattern error: {0}
+    Pattern(#[from] PatternError),
 }
 
 /// Handshake operation result type

Source: GitHub Commit Changes

Detection Methods for CVE-2026-24785

Indicators of Compromise

  • Applications configured to use noise_pqkk_psk0, noise_pqkn_psk0, noise_pqnk_psk0, or noise_pqnn_psk0 handshake patterns
  • Clatter library versions below 2.2.0 in project dependencies (Cargo.toml or Cargo.lock)
  • Runtime logs indicating use of post-quantum patterns with psk0 suffix
  • Cryptographic audit findings showing deterministic key derivation in Noise protocol sessions

Detection Strategies

  • Audit Cargo.toml and Cargo.lock files for Clatter dependency versions below 2.2.0
  • Search codebase for string literals matching vulnerable pattern names: pqkk_psk0, pqkn_psk0, pqnk_psk0, pqnn_psk0
  • Implement dependency scanning tools to flag vulnerable Clatter versions in CI/CD pipelines
  • Review custom handshake pattern definitions for PSK validity rule compliance

Monitoring Recommendations

  • Enable SentinelOne Singularity Platform for continuous monitoring of application dependencies and runtime behavior
  • Configure alerts for applications using known vulnerable cryptographic patterns
  • Monitor for unusual patterns in encrypted session establishment that may indicate key reuse
  • Implement software composition analysis (SCA) to track vulnerable library versions across the organization

How to Mitigate CVE-2026-24785

Immediate Actions Required

  • Upgrade Clatter to version 2.2.0 or later immediately
  • Audit all applications using Clatter for affected handshake patterns
  • If using custom patterns, review them against the Noise Protocol Validity Rules
  • Consider rotating any PSKs used with affected patterns as a precautionary measure

Patch Information

The vulnerability has been fully patched in Clatter version 2.2.0. The fix includes runtime checks to detect and reject offending handshake patterns that violate PSK validity rules. Users should update their Cargo.toml dependency to specify the patched version. For technical details on the patch, refer to the GitHub Security Advisory GHSA-253q-9q78-63x4 and the commit implementing the fix.

Workarounds

  • Avoid using *_psk0 variants of post-quantum patterns (noise_pqkk_psk0, noise_pqkn_psk0, noise_pqnk_psk0, noise_pqnn_psk0)
  • Use *_psk2 or *_psk3 variants instead, which ensure ephemeral randomness precedes PSK mixing
  • For custom handshake patterns, ensure PSK tokens only appear after an ephemeral key exchange token
  • Review the Noise Protocol Framework specification Section 9.3 for proper pattern construction
bash
# Update Clatter dependency in Cargo.toml
# Replace the vulnerable version with the patched version
sed -i 's/clatter = ".*"/clatter = "2.2.0"/' Cargo.toml

# Verify the update
cargo update -p clatter
cargo build

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechClatter
  • SeverityHIGH
  • CVSS Score8.0
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-327
  • Technical References
  • GitHub Commit Changes
  • GitHub Security Advisory GHSA-253q-9q78-63x4
  • Noise Protocol Validity Rules
  • Latest CVEs
  • CVE-2025-9185: Mozilla Firefox RCE Vulnerability
  • CVE-2025-9184: Mozilla Firefox RCE Vulnerability
  • CVE-2025-9180: Mozilla Firefox Auth Bypass Vulnerability
  • CVE-2025-8030: Mozilla Firefox RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English