DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23519: Betrayal by Optimization: How LLVM Broke Rust's Constant-Time Promises

#security #cve #cybersecurity

Betrayal by Optimization: How LLVM Broke Rust's Constant-Time Promises

Vulnerability ID: CVE-2026-23519
CVSS Score: 8.9
Published: 2026-01-15

A critical side-channel vulnerability in the Rust cmov crate where LLVM optimizations inadvertently introduced conditional branches into constant-time logic on ARM Cortex-M0 targets, exposing cryptographic secrets.

TL;DR

The Rust compiler is usually your friend, but in this case, it was the mole. On specific 32-bit ARM chips (Cortex-M0), LLVM optimized the cmov crate's constant-time logic into a conditional branch (bne). This introduced a timing side-channel into foundational cryptography libraries, allowing attackers to recover private keys from embedded devices simply by watching how long the CPU takes to think.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-208 (Observable Timing Discrepancy)
  • Attack Vector: Network / Physical (Side-Channel)
  • CVSS v4.0: 8.9 (High)
  • Architecture: ARM Thumb-v6M (32-bit)
  • Root Cause: LLVM Optimization (Value Range Analysis)
  • Impact: Key Extraction via Timing Analysis

Affected Systems

  • RustCrypto Utilities (cmov crate)
  • ARM Cortex-M0/M0+/M1 (thumbv6m-none-eabi)
  • Embedded IoT Devices using Rust
  • Hardware Wallets relying on pure-Rust crypto
  • cmov: < 0.4.4 (Fixed in: 0.4.5)

Code Analysis

Commit: 5597725

Fix constant-time conditional moves on thumbv6m

-       ($value | $value.wrapping_neg()) >> ($bits - 1)
+       black_box(($value | $value.wrapping_neg()) >> ($bits - 1))
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • RustSec: Advisory and analysis of the optimization flaw.
  • GitHub: PoC demonstrating the branch generation.

Mitigation Strategies

  • Force compiler opacity using core::hint::black_box.
  • Use architecture-specific inline assembly for critical paths.
  • Verify generated assembly artifacts using cargo-show-asm or objdump.

Remediation Steps:

  1. Update cmov dependency to version 0.4.5 or higher.
  2. If using RustCrypto crates, run cargo update to pull in the patched transitive dependency.
  3. For critical firmware, audit the final binary to ensure no bne/beq instructions exist in constant-time routines.

References

Read the full report for CVE-2026-23519 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)