rustsec-2026-0012
Vulnerability from osv_rustsec
Published
2026-02-12 12:00
Modified
2026-02-17 22:02
Summary
Unsoundness in opt-in ARMv8 assembly backend for `keccak`
Details

Summary

The asm! block enabled by the off-by-default asm feature, when enabled on ARMv8 targets, misspecified the operand type for all of its operands, using in for pointers and values which were subsequently mutated by operations performed within the assembly block.

Impact

It's unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined behavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still exists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.

Mitigation

The operand types were changed from in to inout, and the impacted versions of the keccak crate were yanked.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "crypto-failure"
        ],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "keccak",
        "purl": "pkg:cargo/keccak"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.1.6"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "### Summary\n\nThe `asm!` block enabled by the off-by-default `asm` feature, when enabled on ARMv8 targets, misspecified the operand\ntype for all of its operands, using `in` for pointers and values which were subsequently mutated by operations performed\nwithin the assembly block.\n\n### Impact\n\nIt\u0027s unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined\nbehavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still\nexists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.\n\n### Mitigation\n\nThe operand types were changed from `in` to `inout`, and the impacted versions of the `keccak` crate were yanked.",
  "id": "RUSTSEC-2026-0012",
  "modified": "2026-02-17T22:02:59Z",
  "published": "2026-02-12T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/keccak"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0012.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/sponges/pull/101"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Unsoundness in opt-in ARMv8 assembly backend for `keccak`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.