TL;DR: Versions between 4.0.0 and 4.3.0 should be updated to Swift Crypto 4.3.1 immediately.
Swift Crypto just released a security fix for CVE-2026-28815. This vulnerability allows attackers to trigger out-of-bounds reads by providing an encapsulated ciphertext of unexpected lengths. The decapsulation forwards into an underlying C API that expects a static length. This creates an issue where shorter inputs cause reads beyond the input buffer, potentially causing a crash or memory disclosure depending on runtime protections.
The affected API was introduced in version 4.0.0. Versions between 4.0.0 and 4.3.0 should update to the newest release 4.3.1 that includes the fix. You can read the full security advisory on GitHub.
Many thanks to Cantina for reporting this issue.