DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-3288-P39F-RQPV: Rust Keccak: When 'Immutable' Inputs Go Rogue on ARMv8

#security #cve #cybersecurity #ghsa

Rust Keccak: When 'Immutable' Inputs Go Rogue on ARMv8

Vulnerability ID: GHSA-3288-P39F-RQPV
CVSS Score: Unknown
Published: 2026-02-19

A deep-dive analysis of a technical unsoundness in the Rust keccak crate's ARMv8 assembly backend. By misrepresenting register constraints to the LLVM compiler, the implementation created a divergence between the hardware state and the compiler's abstract model, leading to Undefined Behavior (UB) and potential memory corruption scenarios.

TL;DR

The keccak crate for Rust contained a critical unsoundness in its optional ARMv8 assembly optimization. Developers used post-indexing assembly instructions that modified registers (x0, x1, x8) but told the compiler these registers were immutable inputs (in). This lie to the compiler constitutes Undefined Behavior, potentially causing the optimizer to generate broken code that corrupts memory or miscalculates cryptographic states.

Technical Details

  • Vulnerability Type: Undefined Behavior / Unsoundness
  • Language: Rust / AArch64 Assembly
  • Root Cause: Incorrect Inline Assembly Register Constraints
  • Affected Component: keccak crate (armv8.rs)
  • Impact: Potential Memory Corruption / Logic Errors
  • Exploit Status: Theoretical / Compiler-Dependent

Affected Systems

  • Rust applications using keccak crate with asm feature enabled
  • ARMv8 (AArch64) architectures
  • keccak: < 0.1.6 (Fixed in: 0.1.6)

Code Analysis

Commit: 7ac1920

Fix soundness issue in ARMv8 asm

- in("x0") state.as_mut_ptr(),
+ inout("x0") state.as_mut_ptr() => _,
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: No public exploit exists; issue is theoretical unsoundness.

Mitigation Strategies

  • Update keccak crate to version >= 0.1.6
  • Disable the asm feature flag if updating is not possible
  • Audit dependency trees for transitive usage of vulnerable keccak versions

Remediation Steps:

  1. Run cargo update -p keccak to pull the latest patched version.
  2. Verify the version with cargo tree -i keccak.
  3. If using direct asm! in your own projects, verify all registers modified by hardware (including implicit updates like post-indexing) are marked as inout or lateout.

References

Read the full report for GHSA-3288-P39F-RQPV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)