RUSTSEC-2026-0003

Non-constant-time code generation on ARM32 targets

Reported

January 14, 2026

Issued

January 15, 2026

Package

cmov (crates.io)

Type

Vulnerability

Categories

crypto-failure

Aliases

References

https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp

CVSS Score

8.9 HIGH

CVSS Details

Attack Complexity: High
Attack Requirements: None
Attack Vector: Network
Privileges Required: None
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: High
Integrity Impact to the Subsequent System: None
User Interaction: None
Availability Impact to the Vulnerable System: None
Confidentiality Impact to the Vulnerable System: High
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Patched

>=0.4.4

Description

Summary

While the cmov crate has a special backend for aarch64 which uses special CSEL instructions, on 32-bit ARM it uses a portable pure Rust fallback implementation. This implementation uses a combination of bitwise arithmetic and core::hint::black_box to attempt to coerce constant-time code generation out of the optimizer, but the implementation in v0.4.3 and earlier failed to do this on 32-bit ARM targets.

Impact

Branch instructions inserted by the LLVM optimizer on 32-bit targets can be leveraged using various microarchitectural sidechannels like cache timing attacks to learn secret information that cmov is designed to protect.

Details

The following assembly was emitted when using Cmov::cmovnz, a function which implements a conditional move when a provided value is non-zero:

    bne  .LBB0_2
    mvns r3, r3

This includes a branch instruction bne: Branch if Not Equal.

PoC

The following code reproduces the issue:

#![no_std]
use cmov::Cmov;

#[inline(never)]
pub fn test_ct_cmov(a: &mut u8, b: u8, c: u8) {
    a.cmovnz(&b, c);
}

Resolution

cmov v0.4.4 includes a portable black_box-based tactical mitigation for the issue which coerced the compiler into producing the expected codegen, and additionally v0.4.5 added an asm! reimplementation of the problematic mask generation function for ARM32 targets which should guarantee that particular function never contains a branch on such targets.

Advisory available under CC-BY-4.0 license. Source: https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp