RUSTSEC-2025-0133

Incorrect calculation on aarch64

Reported

December 4, 2025

Issued

December 4, 2025

Package

libcrux-intrinsics (crates.io)

Type

Vulnerability

Categories

crypto-failure

References

https://github.com/cryspen/libcrux/issues/1220

Patched

>=0.0.4

Unaffected

<=0.0.3

Affected Architectures

aarch64

Description

On platforms without the core::arch::aarch64::vxarq_u64 intrinsic, an unverified fallback in libcrux-intrinsics v0.0.3 passed incorrect arguments and produced wrong results. This corrupted SHA-3 digests and caused libcrux-ml-kem and libcrux-ml-dsa to sample incorrectly, yielding incorrect shared secrets and invalid signatures.

The issue has been fixed in v0.0.4.

Advisory available under CC0-1.0 license.