RustSec logo

HistoryEditJSON (OSV)

RUSTSEC-2026-0208

Potential Panic in AVX2 SHAKE-256

Reported
Issued
Package
libcrux-sha3 (crates.io)
Type
Vulnerability
References
CVSS Score
8.2 HIGH
CVSS Details
Attack Complexity
Low
Attack Requirements
Present
Attack Vector
Network
Privileges Required
None
Availability Impact to the Subsequent System
None
Confidentiality Impact to the Subsequent System
None
Integrity Impact to the Subsequent System
None
User Interaction
None
Availability Impact to the Vulnerable System
High
Confidentiality Impact to the Vulnerable System
None
Integrity Impact to the Vulnerable System
None
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Patched
  • >=0.0.10
Affected Functions
Version
libcrux_sha3::avx2::x4::shake256
  • <=0.0.9

Description

The AVX2-optimized implementation of SHAKE-256 intended for use in ML-KEM and ML-DSA would panic if the length of the output buffers was greater than 32 and not a multiple of 8, due to an out-of-bounds indexing operation.

Impact

This bug impacts users on AVX2 platforms that use the libcrux_sha3::avx2::x4::shake256 API outside of ML-KEM or ML-DSA with output buffers of length > 32 and not divisible by 8. It does not impact the use in ML-KEM or ML-DSA because there output buffer lengths are always divisible by 8.

Mitigation

Starting from version 0.0.10, the AVX2-optimized SHAKE-256 will no longer panic on output buffer lengths > 32 that are not divisible by 8.

Advisory available under CC0-1.0 license.