Intel

AIKIDO-2026-409684

rustls is vulnerable to Observable Discrepancy

Observable Discrepancy Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

33

Low Risk

This Affects:

RUSTrustls
0.23.10 - 0.23.39
Fixed in 0.23.40
Are you affected? Scan for Free

TL;DR

rustls provides Encrypted Client Hello (ECH) client support in rustls/src/client/ech.rs, which pads the inner ClientHello so its length does not reveal the protected inner server name. Before the fix, the inner-hello name padding was derived from the configured inner name even when the SNI extension was omitted, and the RFC-recommended padding scheme for SNI names was implemented incorrectly. As a result the encrypted inner ClientHello length could vary with the inner name, letting a passive network observer infer the length of the protected inner name and weakening the privacy ECH is meant to provide. The fix bases padding on the actual inner ClientHello server_name extension and corrects the padding scheme so the inner hello length is invariant with respect to the inner name.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your client uses Encrypted Client Hello (ECH).

Background info

rustls is vulnerable to Observable Discrepancy in versions 0.23.10 - 0.23.39.

How to fix this

Upgrade the rustls library to the patch version.