Tracked in security advisory: https://github.com/encryption4all/ibe/security/advisories/GHSA-236p-m8qr-cmjg
The mkem layer derives its AES-128-GCM encryption key by raw truncation of the KEM shared secret rather than applying a proper KDF. The fix involves applying HKDF-SHA256 (or switching to AES-256-GCM using the full output) with domain separation. See the advisory for full details.
Tracked in security advisory: https://github.com/encryption4all/ibe/security/advisories/GHSA-236p-m8qr-cmjg
The mkem layer derives its AES-128-GCM encryption key by raw truncation of the KEM shared secret rather than applying a proper KDF. The fix involves applying HKDF-SHA256 (or switching to AES-256-GCM using the full output) with domain separation. See the advisory for full details.