CWE-1240
AllowedUse of a Cryptographic Primitive with a Risky Implementation
Abstraction: Base · Status: Draft
To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.
42 vulnerabilities reference this CWE, most recent first.
GHSA-RW68-3JHM-823V
Vulnerability from github – Published: 2025-02-04 03:33 – Updated: 2025-02-04 03:33Dell PowerProtect DD, versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10 contains a use of a Cryptographic Primitive with a Risky Implementation vulnerability. A remote attacker could potentially exploit this vulnerability, leading to Information tampering.
{
"affected": [],
"aliases": [
"CVE-2025-22475"
],
"database_specific": {
"cwe_ids": [
"CWE-1240",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-04T03:15:07Z",
"severity": "LOW"
},
"details": "Dell PowerProtect DD, versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10 contains a use of a Cryptographic Primitive with a Risky Implementation vulnerability. A remote attacker could potentially exploit this vulnerability, leading to Information tampering.",
"id": "GHSA-rw68-3jhm-823v",
"modified": "2025-02-04T03:33:24Z",
"published": "2025-02-04T03:33:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22475"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000279157/dsa-2025-022-security-update-for-dell-powerprotect-dd-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ64-RJF3-W3V7
Vulnerability from github – Published: 2026-05-21 20:24 – Updated: 2026-06-11 14:05Impact
- Key:
challenger/src/multi_field_challenger.rs|MultiField32Challenger::duplexing|transcript_malleability - Affected files:
challenger/src/multi_field_challenger.rs,field/src/helpers.rs -
Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed field elements. Specifically: (1) absorption must be injective — distinct observation streams must produce distinct sponge states, (2) squeezing must be injective — distinct PF rate cells must yield distinct F challenge sequences, and (3) all bits of each absorbed PF element must influence the sponge state.
-
Exploit scenario: An attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. Three independent attack vectors exist:
-
Partial-chunk aliasing (absorb):
duplexing()packsinput_buffer.chunks(num_f_elms)viareduce_32(base 2^32) with no length marker and no zeroing of unused rate slots. Observing[x]followed by a sample yields the same sponge state as[x, 0, ..., 0](padded tonum_f_elms) followed by a sample, sincereduce_32treats missing high limbs identically to explicit zeros. The attacker can extend or truncate the tail of any observation batch without changing future challenges. -
Non-injective squeeze (squeeze):
split_32decomposes each PF rate cell into base-2^64 digits and maps each throughTF::from_u64, which reduces modF::ORDER(~2^31). Two distinct PF values whose base-2^64 digits differ only in their upper 33 bits produce identical F challenge sequences. This weakens the entropy of sampled challenges and can enable selective forgery when the attacker can influence the sponge state pre-squeeze. -
High-bit truncation (observe Hash/MerkleCap):
num_f_elms = PF::bits() / 64computes the number of F limbs per PF element. For BN254 (254-bit field), this yields 3 limbs covering 192 bits — the top 62 bits of every digest word are silently discarded. An attacker can find two distinct BN254 hash digests that differ only in bits 192–253 and observe them interchangeably without affecting challenges. -
Evidence: In
duplexing(), the absorb path (reduce_32with base 2^32) and the squeeze path (split_32with base 2^64) use incompatible radices with no length domain separation.reduce_32is a plain Horner foldacc * 2^32 + digitwith no padding or tag, so trailing zeros are free.split_32extracts u64 digits and casts each viaTF::from_u64, which performs modular reduction, collapsing the top bits. The limb countPF::bits() / 64is a floor division that silently drops all bits beyond64 * num_f_elmsfor fields whose bit-width is not a multiple of 64.
Patches
Included in v0.4.3 and v0.5.3
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "p3-challenger"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "p3-challenger"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "0.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46654"
],
"database_specific": {
"cwe_ids": [
"CWE-1240",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T20:24:21Z",
"nvd_published_at": "2026-06-10T22:16:59Z",
"severity": "HIGH"
},
"details": "### Impact\n\n- **Key**: `challenger/src/multi_field_challenger.rs` | `MultiField32Challenger::duplexing` | `transcript_malleability`\n- **Affected files**: `challenger/src/multi_field_challenger.rs`, `field/src/helpers.rs`\n- **Violated invariant**: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed field elements. Specifically: (1) absorption must be injective \u2014 distinct observation streams must produce distinct sponge states, (2) squeezing must be injective \u2014 distinct PF rate cells must yield distinct F challenge sequences, and (3) all bits of each absorbed PF element must influence the sponge state.\n\n- **Exploit scenario**: An attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. Three independent attack vectors exist:\n\n 1. **Partial-chunk aliasing (absorb)**: `duplexing()` packs `input_buffer.chunks(num_f_elms)` via `reduce_32` (base 2^32) with no length marker and no zeroing of unused rate slots. Observing `[x]` followed by a sample yields the same sponge state as `[x, 0, ..., 0]` (padded to `num_f_elms`) followed by a sample, since `reduce_32` treats missing high limbs identically to explicit zeros. The attacker can extend or truncate the tail of any observation batch without changing future challenges.\n\n 2. **Non-injective squeeze (squeeze)**: `split_32` decomposes each PF rate cell into base-2^64 digits and maps each through `TF::from_u64`, which reduces mod `F::ORDER` (~2^31). Two distinct PF values whose base-2^64 digits differ only in their upper 33 bits produce identical F challenge sequences. This weakens the entropy of sampled challenges and can enable selective forgery when the attacker can influence the sponge state pre-squeeze.\n\n 3. **High-bit truncation (observe Hash/MerkleCap)**: `num_f_elms = PF::bits() / 64` computes the number of F limbs per PF element. For BN254 (254-bit field), this yields 3 limbs covering 192 bits \u2014 the top 62 bits of every digest word are silently discarded. An attacker can find two distinct BN254 hash digests that differ only in bits 192\u2013253 and observe them interchangeably without affecting challenges.\n\n- **Evidence**: In `duplexing()`, the absorb path (`reduce_32` with base 2^32) and the squeeze path (`split_32` with base 2^64) use incompatible radices with no length domain separation. `reduce_32` is a plain Horner fold `acc * 2^32 + digit` with no padding or tag, so trailing zeros are free. `split_32` extracts u64 digits and casts each via `TF::from_u64`, which performs modular reduction, collapsing the top bits. The limb count `PF::bits() / 64` is a floor division that silently drops all bits beyond `64 * num_f_elms` for fields whose bit-width is not a multiple of 64.\n\n### Patches\n\nIncluded in v0.4.3 and v0.5.3",
"id": "GHSA-vj64-rjf3-w3v7",
"modified": "2026-06-11T14:05:27Z",
"published": "2026-05-21T20:24:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Plonky3/Plonky3/security/advisories/GHSA-vj64-rjf3-w3v7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46654"
},
{
"type": "PACKAGE",
"url": "https://github.com/Plonky3/Plonky3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss"
}
Mitigation MIT-55
Require compliance with the strongest-available recommendations from trusted parties, and require that compliance must be kept up-to-date, since recommendations evolve over time. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-267].
Mitigation
Ensure that the architecture/design uses the strongest-available primitives and algorithms from trusted parties. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-267].
Mitigation MIT-54
Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. As with all cryptographic mechanisms, the source code should be available for analysis. If the algorithm may be compromised when attackers find out how it works, then it is especially weak.
Mitigation
Try not to use cryptographic algorithms in novel ways or with new modes of operation even when you "know" it is secure. For example, using SHA-2 chaining to create a 1-time pad for encryption might sound like a good idea, but one should not do this.
Mitigation MIT-52
Ensure that the design can replace one cryptographic primitive or algorithm with another in the next generation ("cryptographic agility"). Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. This is especially important for hardware, which can be more difficult to upgrade quickly than software; design the hardware at a replaceable block level.
Mitigation
Do not use outdated or non-compliant cryptography algorithms. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong [REF-267].
Mitigation
Do not use a linear-feedback shift register (LFSR) or other legacy methods as a substitute for an accepted and standard Random Number Generator.
Mitigation
Do not use a checksum as a substitute for a cryptographically generated hash.
Mitigation
Strategy: Libraries or Frameworks
Use a vetted cryptographic library or framework. Industry-standard implementations will save development time and are more likely to avoid errors that can occur during implementation of cryptographic algorithms. However, the library/framework could be used incorrectly during implementation.
Mitigation
When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for the prevention of common attacks.
Mitigation
Do not store keys in areas accessible to untrusted agents. Carefully manage and protect the cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography algorithm is irrelevant.
CAPEC-97: Cryptanalysis
Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).