rustsec-2026-0074
Vulnerability from osv_rustsec
Published
2026-03-04 12:00
Modified
2026-03-27 05:55
Summary
Incorrect Output of Incremental Portable SHAKE API
Details

The incremental squeeze functions in the portable SHAKE XOF API, when attempting to squeeze more than RATE (168 for SHAKE128, 136 for SHAKE256) bytes, performed an additional permutation of the state before producing the first output block, thus discarding the first block of RATE bytes of valid XOF output.

Impact

This bug impacts users that rely on this XOF API to squeeze more than RATE bytes. It does not impact the use of libcrux-sha3 in libcrux-ml-kem or libcrux-ml-dsa.

Mitigation

Starting from version 0.0.8 the squeeze functions correctly output all blocks including the first block.

References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "libcrux_sha3::portable::incremental::Shake128Xof::squeeze",
            "libcrux_sha3::portable::incremental::Shake256Xof::squeeze"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "libcrux-sha3",
        "purl": "pkg:cargo/libcrux-sha3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.0.8"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-q29p-9pfr-j652"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "The incremental squeeze functions in the portable SHAKE XOF API, when\n attempting to squeeze more than `RATE` (168 for SHAKE128, 136 for\n SHAKE256) bytes, performed an additional permutation of the state\n before producing the first output block, thus discarding the first\n block of `RATE` bytes of valid XOF output.\n\n## Impact\nThis bug impacts users that rely on this XOF API to squeeze more than\n`RATE` bytes. It does not impact the use of libcrux-sha3 in\nlibcrux-ml-kem or libcrux-ml-dsa.\n\n## Mitigation\nStarting from version `0.0.8` the squeeze functions correctly output\nall blocks including the first block.",
  "id": "RUSTSEC-2026-0074",
  "modified": "2026-03-27T05:55:06Z",
  "published": "2026-03-04T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/libcrux-sha3"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0074.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/pull/1352"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Incorrect Output of Incremental Portable SHAKE API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.