The OpenSSL project reports:
Low: ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce
input for every encryption operation. RFC 7539 specifies that the nonce
value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce
length and front pads the nonce with 0 bytes if it is less than 12 bytes.
However it also incorrectly allows a nonce to be set of up to 16 bytes.
In this case only the last 12 bytes are significant and any additional
leading bytes are ignored.