- Reported
-
- Issued
-
- Package
-
libcrux-sha3
(crates.io)
- Type
-
Vulnerability
- References
-
- CVSS Score
- 8.2
HIGH
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- Present
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- High
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- None
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- Patched
-
- Affected Functions
- Version
libcrux_sha3::avx2::x4::shake256
-
Description
The AVX2-optimized implementation of SHAKE-256 intended for use in
ML-KEM and ML-DSA would panic if the length of the output buffers was
greater than 32 and not a multiple of 8, due to an out-of-bounds
indexing operation.
Impact
This bug impacts users on AVX2 platforms that use the
libcrux_sha3::avx2::x4::shake256 API outside of ML-KEM or ML-DSA
with output buffers of length > 32 and not divisible by 8. It does
not impact the use in ML-KEM or ML-DSA because there output buffer
lengths are always divisible by 8.
Mitigation
Starting from version 0.0.10, the AVX2-optimized SHAKE-256 will no
longer panic on output buffer lengths > 32 that are not divisible by
8.
Advisory available under CC0-1.0
license.