RustSec logo

HistoryEditJSON (OSV)

RUSTSEC-2026-0212

Potentially Incorrect Output of Constant-Time Swap/Select on Aarch64

Reported
Issued
Package
libcrux-secrets (crates.io)
Type
Vulnerability
References
CVSS Score
8.2 HIGH
CVSS Details
Attack Complexity
Low
Attack Requirements
Present
Attack Vector
Network
Privileges Required
None
Availability Impact to the Subsequent System
None
Confidentiality Impact to the Subsequent System
None
Integrity Impact to the Subsequent System
None
User Interaction
None
Availability Impact to the Vulnerable System
High
Confidentiality Impact to the Vulnerable System
None
Integrity Impact to the Vulnerable System
None
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Patched
  • >=0.0.6
Affected Functions
Version
libcrux_secrets::Select::select
  • <=0.0.5
libcrux_secrets::Swap::swap
  • <=0.0.5

Description

The implementation of constant-time swap and select on aarch64 platforms used a cmp instruction in inline assembly to check whether an 8-bit wide selector was 0. The cmp instruction works on 32-bit registers, which included the unspecified high 24 bits of the cmp operand. Depending on the execution environment the cmp could thus potentially return an incorrect result because its operand's high bits in the inline assembly were set when Rust expected them to be unset. This could lead to incorrect results for the constant-time swap and select operations built from this comparison.

Impact

In certain circumstances the swap and select instructions on aarch64 platforms returned incorrect results.

Mitigation

Starting from version 0.0.6, the selector is compared using a tst instruction with a mask, which only compares the first 8 bits of the selector.

Advisory available under CC0-1.0 license.