13 matches found
GHSA-G3QG-6746-3MG9 zkVM Underconstrained Vulnerability
Due to a missing constraint in the rv32im circuit, any 3-register RISC-V instruction including remu and divu in risc0-zkvm 2.0.0, 2.0.1, and 2.0.2 are vulnerable to an attack by a malicious prover. The main idea for the attack is to confuse the RISC-V virtual machine into treating the value of th...
CVE-2025-52484
The CVE concerns risc0-zkvm prior to version 2.1.0. A missing constraint in the rv32im circuit allows a malicious prover to exploit any 3-register RISC-V instruction (e.g., remu, divu) by making rs1 appear equal to rs2, potentially compromising zkVM computations. Affected releases: risc0-zkvm 2.0...
BlueRiSC WindowsSCOPE Cyber Forensics 数据伪造问题漏洞
BlueRiSC WindowsSCOPE Cyber Forensics is a GUI-based memory forensic capture and analysis toolkit from BlueRiSC. BlueRiSC WindowsSCOPE Cyber Forensics suffers from a Data Forgery Issue vulnerability that stems from a lack of constraints in the rv32im circuit, which could lead to a malicious prove...
GHSA-JF2R-X3J4-23M7 OpenVM allows the byte decomposition of pc in AUIPC chip to overflow
The fix to https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21 has a typo that still results in the highest limb of pc being range checked to 8-bits instead of 6-bits. In the AIR, we do...
OpenVM allows the byte decomposition of pc in AUIPC chip to overflow
The fix to https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21 has a typo that still results in the highest limb of pc being range checked to 8-bits instead of 6-bits. In the AIR, we do...
CVE-2025-46723
OpenVM (version 1.0.0) contains a vulnerability in the AUIPC chip path where pc limb decomposition overflows due to a off-by-one typo in the 8-bit vs 6-bit check. The root cause is a mis-specified enumeration in the pc_limbs loop, causing pc_limbs[3] to be checked with 8-bit bounds instead of 6-b...
OpenVM 安全漏洞
OpenVM is an OpenVM open source high performance and modular zkVM framework built for customization and extensibility. A security vulnerability exists in OpenVM version 1.0.0, which stems from a pc byte decomposition overflow in the AUIPC chip, which could lead to a malicious prover causing the...
Soundness issue with Plonky2 look up tables
Impact Lookup tables, whose length is not divisible by 26 = floornumroutedwires / 3 always include the 0 - 0 input-output pair. Thus a malicious prover can always prove that f0 = 0 for any lookup table f unless its length happens to be divisible by 26. The cause of problem is that the...
GHSA-HJ49-H7FQ-PX5H Soundness issue with Plonky2 look up tables
Impact Lookup tables, whose length is not divisible by 26 = floornumroutedwires / 3 always include the 0 - 0 input-output pair. Thus a malicious prover can always prove that f0 = 0 for any lookup table f unless its length happens to be divisible by 26. The cause of problem is that the...
CVE-2025-24802 Soundness issue with Plonky2 look up tables
Plonky2 is a SNARK implementation based on techniques from PLONK and FRI. Lookup tables, whose length is not divisible by 26 = floornumroutedwires / 3 always include the 0 - 0 input-output pair. Thus a malicious prover can always prove that f0 = 0 for any lookup table f unless its length happens ...
CVE-2025-24802
Summary of CVE-2025-24802 (Plonky2) : The vulnerability stems from padding zeroes in the LookupTableGate mechanism in Plonky2, where lookup tables whose length is not divisible by 26 (computed as floor(num_routed_wires/3)) will always include the 0 -> 0 input-output pair. This allows a malicio...
Plonky2 安全漏洞
Plonky2 is a repository open-sourced by Polygon Zero. A security vulnerability exists in Plonky2, which stems from the zero-padding mechanism originating from LookupTableGate, and could lead to a malicious prover proving that f0 = 0...
ismp-grandpa crate accepted incorrect signatures
A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers. Description The vulnerability manifests as a verifer that only accepts incorrect signatures of Grandpa precommits and was introduce...