RustSec logo

HistoryEditJSON (OSV)

RUSTSEC-2026-0207

Incorrect Output of Incremental Portable SHAKE API on Multiple Squeeze Calls

Reported
Issued
Package
libcrux-sha3 (crates.io)
Type
Vulnerability
References
CVSS Score
8.2 HIGH
CVSS Details
Attack Complexity
Low
Attack Requirements
Present
Attack Vector
Network
Privileges Required
None
Availability Impact to the Subsequent System
None
Confidentiality Impact to the Subsequent System
None
Integrity Impact to the Subsequent System
None
User Interaction
None
Availability Impact to the Vulnerable System
High
Confidentiality Impact to the Vulnerable System
None
Integrity Impact to the Vulnerable System
None
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Patched
  • >=0.0.10
Affected Functions
Version
libcrux_sha3::portable::incremental::Shake128Xof::squeeze
  • <=0.0.9
libcrux_sha3::portable::incremental::Shake256Xof::squeeze
  • <=0.0.9

Description

The incremental squeeze functions in the portable SHAKE XOF API, when attempting to squeeze an output using multiple calls to squeeze, rather than squeezing the full output at once, could output incorrect values. Internally, output blocks that were not completely squeezed were not buffered for the next call to squeeze, which would consequently drop bytes of the correct squeeze output if the preceding call requested an output of length in bytes not cleanly divisible by RATE (168 for SHAKE128, 136 for SHAKE256).

Impact

This bug impacts users that rely on this XOF API to squeeze output in multiple calls where any of the calls request an output length that is not divisible by RATE. It does not impact the use of libcrux-sha3 in libcrux-ml-kem or libcrux-ml-dsa.

Mitigation

Starting from version 0.0.10 the squeeze functions correctly output all squeezed bytes independent of the number of squeeze calls and the output lengths requested in each call.

Advisory available under CC0-1.0 license.