SP1 V6 Recursion Circuit Row-Count Binding Gap

Summary A soundness vulnerability in the SP1 V6 recursive shard verifier allows a malicious prover to construct a recursive proof from a shard proof that the native verifier would reject. - Affected versions: = 6.0.0, = 6.0.2 - Not affected: SP1 V5 all versions - Severity: High Details Background...

CVE-2026-32732 XSS in @leanprover/unicode-input-component

Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as...

CVE-2026-32732 XSS in @leanprover/unicode-input-component

Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as...

Beyond the Finite Variant Property: Extending Symbolic Diffie-Hellman Group Models (Extended Version)

Diffie-Hellman groups are commonly used in cryptographic protocols. While most state-of-the-art, symbolic protocol verifiers support them to some degree, they do not support all mathematical operations possible in these groups. In particular, they lack support for exponent addition, as these tool...

GHSA-G3QG-6746-3MG9 zkVM Underconstrained Vulnerability

Due to a missing constraint in the rv32im circuit, any 3-register RISC-V instruction including remu and divu in risc0-zkvm 2.0.0, 2.0.1, and 2.0.2 are vulnerable to an attack by a malicious prover. The main idea for the attack is to confuse the RISC-V virtual machine into treating the value of th...

CVE-2025-52484

The CVE concerns risc0-zkvm prior to version 2.1.0. A missing constraint in the rv32im circuit allows a malicious prover to exploit any 3-register RISC-V instruction (e.g., remu, divu) by making rs1 appear equal to rs2, potentially compromising zkVM computations. Affected releases: risc0-zkvm 2.0...

BlueRiSC WindowsSCOPE Cyber Forensics 数据伪造问题漏洞

BlueRiSC WindowsSCOPE Cyber Forensics is a GUI-based memory forensic capture and analysis toolkit from BlueRiSC. BlueRiSC WindowsSCOPE Cyber Forensics suffers from a Data Forgery Issue vulnerability that stems from a lack of constraints in the rv32im circuit, which could lead to a malicious prove...

Comparing Classical and Quantum Conditional Disclosure of Secrets

The conditional disclosure of secrets CDS setting is among the most basic primitives studied in information-theoretic cryptography. Motivated by a connection to non-local quantum computation and position-based cryptography, CDS with quantum resources has recently been considered. Here, we study t...

GHSA-JF2R-X3J4-23M7 OpenVM allows the byte decomposition of pc in AUIPC chip to overflow

The fix to https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21 has a typo that still results in the highest limb of pc being range checked to 8-bits instead of 6-bits. In the AIR, we do...

OpenVM allows the byte decomposition of pc in AUIPC chip to overflow

The fix to https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21 has a typo that still results in the highest limb of pc being range checked to 8-bits instead of 6-bits. In the AIR, we do...

CVE-2025-46723

OpenVM (version 1.0.0) contains a vulnerability in the AUIPC chip path where pc limb decomposition overflows due to a off-by-one typo in the 8-bit vs 6-bit check. The root cause is a mis-specified enumeration in the pc_limbs loop, causing pc_limbs[3] to be checked with 8-bit bounds instead of 6-b...

OpenVM 安全漏洞

OpenVM is an OpenVM open source high performance and modular zkVM framework built for customization and extensibility. A security vulnerability exists in OpenVM version 1.0.0, which stems from a pc byte decomposition overflow in the AUIPC chip, which could lead to a malicious prover causing the...

Soundness issue with Plonky2 look up tables

Impact Lookup tables, whose length is not divisible by 26 = floornumroutedwires / 3 always include the 0 - 0 input-output pair. Thus a malicious prover can always prove that f0 = 0 for any lookup table f unless its length happens to be divisible by 26. The cause of problem is that the...

GHSA-HJ49-H7FQ-PX5H Soundness issue with Plonky2 look up tables

Impact Lookup tables, whose length is not divisible by 26 = floornumroutedwires / 3 always include the 0 - 0 input-output pair. Thus a malicious prover can always prove that f0 = 0 for any lookup table f unless its length happens to be divisible by 26. The cause of problem is that the...

CVE-2025-24802 Soundness issue with Plonky2 look up tables

Plonky2 is a SNARK implementation based on techniques from PLONK and FRI. Lookup tables, whose length is not divisible by 26 = floornumroutedwires / 3 always include the 0 - 0 input-output pair. Thus a malicious prover can always prove that f0 = 0 for any lookup table f unless its length happens ...

CVE-2025-24802

Summary of CVE-2025-24802 (Plonky2) : The vulnerability stems from padding zeroes in the LookupTableGate mechanism in Plonky2, where lookup tables whose length is not divisible by 26 (computed as floor(num_routed_wires/3)) will always include the 0 -> 0 input-output pair. This allows a malicio...

Plonky2 安全漏洞

Plonky2 is a repository open-sourced by Polygon Zero. A security vulnerability exists in Plonky2, which stems from the zero-padding mechanism originating from LookupTableGate, and could lead to a malicious prover proving that f0 = 0...

ismp-grandpa crate accepted incorrect signatures

A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers. Description The vulnerability manifests as a verifer that only accepts incorrect signatures of Grandpa precommits and was introduce...

sp1 has insufficient observation of cumulative sum

During proof generation, the prover must observe all values sent to the verifier to generate valid Fiat-Shamir challenges. Prior to v3.0.0 the cumulative sum of the permutation argument was not observed when sampling zeta, which is a random challenge sampled to force the constraints to be true. I...

GHSA-9XCG-3Q8V-7FQ6 gnark commitments to private witnesses in Groth16 as implemented break zero-knowledge property

This report concerns the Groth16 prover when used with commitments as in frontend.Committer. To simplify exposition of the issue, I will focus on the case of a single commitment, to only private witnesses. But the issue should be present whenever commitments are used that include private witnesse...