RUSTSEC-2025-0133

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2025-0133
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0133.json
JSON Data
https://api.test.osv.dev/v1/vulns/RUSTSEC-2025-0133
Aliases
Published
2025-12-04T12:00:00Z
Modified
2025-12-06T07:56:20.626253Z
Summary
Incorrect calculation on aarch64
Details

On platforms without the core::arch::aarch64::vxarq_u64 intrinsic, an unverified fallback in libcrux-intrinsics v0.0.3 passed incorrect arguments and produced wrong results. This corrupted SHA-3 digests and caused libcrux-ml-kem and libcrux-ml-dsa to sample incorrectly, yielding incorrect shared secrets and invalid signatures.

The issue has been fixed in v0.0.4.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / libcrux-intrinsics

Package

Name
libcrux-intrinsics
View open source insights on deps.dev
Purl
pkg:cargo/libcrux-intrinsics

Affected ranges

Type
SEMVER
Events
Introduced
0.0.4-0
Fixed
0.0.4

Ecosystem specific 

{
    "affects": {
        "os": [],
        "arch": [
            "aarch64"
        ],
        "functions": []
    },
    "affected_functions": null
}

Database specific

informational

null

categories

[
    "crypto-failure"
]

cvss

null