Common Weakness Enumeration

CWE-1240

Allowed

Use of a Cryptographic Primitive with a Risky Implementation

Abstraction: Base · Status: Draft

To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.

42 vulnerabilities reference this CWE, most recent first.

GHSA-RW68-3JHM-823V

Vulnerability from github – Published: 2025-02-04 03:33 – Updated: 2025-02-04 03:33
VLAI
Details

Dell PowerProtect DD, versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10 contains a use of a Cryptographic Primitive with a Risky Implementation vulnerability. A remote attacker could potentially exploit this vulnerability, leading to Information tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1240",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-04T03:15:07Z",
    "severity": "LOW"
  },
  "details": "Dell PowerProtect DD, versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10 contains a use of a Cryptographic Primitive with a Risky Implementation vulnerability. A remote attacker could potentially exploit this vulnerability, leading to Information tampering.",
  "id": "GHSA-rw68-3jhm-823v",
  "modified": "2025-02-04T03:33:24Z",
  "published": "2025-02-04T03:33:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22475"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000279157/dsa-2025-022-security-update-for-dell-powerprotect-dd-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ64-RJF3-W3V7

Vulnerability from github – Published: 2026-05-21 20:24 – Updated: 2026-06-11 14:05
VLAI
Summary
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
Details

Impact

  • Key: challenger/src/multi_field_challenger.rs | MultiField32Challenger::duplexing | transcript_malleability
  • Affected files: challenger/src/multi_field_challenger.rs, field/src/helpers.rs
  • Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed field elements. Specifically: (1) absorption must be injective — distinct observation streams must produce distinct sponge states, (2) squeezing must be injective — distinct PF rate cells must yield distinct F challenge sequences, and (3) all bits of each absorbed PF element must influence the sponge state.

  • Exploit scenario: An attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. Three independent attack vectors exist:

  • Partial-chunk aliasing (absorb): duplexing() packs input_buffer.chunks(num_f_elms) via reduce_32 (base 2^32) with no length marker and no zeroing of unused rate slots. Observing [x] followed by a sample yields the same sponge state as [x, 0, ..., 0] (padded to num_f_elms) followed by a sample, since reduce_32 treats missing high limbs identically to explicit zeros. The attacker can extend or truncate the tail of any observation batch without changing future challenges.

  • Non-injective squeeze (squeeze): split_32 decomposes each PF rate cell into base-2^64 digits and maps each through TF::from_u64, which reduces mod F::ORDER (~2^31). Two distinct PF values whose base-2^64 digits differ only in their upper 33 bits produce identical F challenge sequences. This weakens the entropy of sampled challenges and can enable selective forgery when the attacker can influence the sponge state pre-squeeze.

  • High-bit truncation (observe Hash/MerkleCap): num_f_elms = PF::bits() / 64 computes the number of F limbs per PF element. For BN254 (254-bit field), this yields 3 limbs covering 192 bits — the top 62 bits of every digest word are silently discarded. An attacker can find two distinct BN254 hash digests that differ only in bits 192–253 and observe them interchangeably without affecting challenges.

  • Evidence: In duplexing(), the absorb path (reduce_32 with base 2^32) and the squeeze path (split_32 with base 2^64) use incompatible radices with no length domain separation. reduce_32 is a plain Horner fold acc * 2^32 + digit with no padding or tag, so trailing zeros are free. split_32 extracts u64 digits and casts each via TF::from_u64, which performs modular reduction, collapsing the top bits. The limb count PF::bits() / 64 is a floor division that silently drops all bits beyond 64 * num_f_elms for fields whose bit-width is not a multiple of 64.

Patches

Included in v0.4.3 and v0.5.3

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "p3-challenger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "p3-challenger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1240",
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:24:21Z",
    "nvd_published_at": "2026-06-10T22:16:59Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n- **Key**: `challenger/src/multi_field_challenger.rs` | `MultiField32Challenger::duplexing` | `transcript_malleability`\n- **Affected files**: `challenger/src/multi_field_challenger.rs`, `field/src/helpers.rs`\n- **Violated invariant**: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed field elements. Specifically: (1) absorption must be injective \u2014 distinct observation streams must produce distinct sponge states, (2) squeezing must be injective \u2014 distinct PF rate cells must yield distinct F challenge sequences, and (3) all bits of each absorbed PF element must influence the sponge state.\n\n- **Exploit scenario**: An attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. Three independent attack vectors exist:\n\n  1. **Partial-chunk aliasing (absorb)**: `duplexing()` packs `input_buffer.chunks(num_f_elms)` via `reduce_32` (base 2^32) with no length marker and no zeroing of unused rate slots. Observing `[x]` followed by a sample yields the same sponge state as `[x, 0, ..., 0]` (padded to `num_f_elms`) followed by a sample, since `reduce_32` treats missing high limbs identically to explicit zeros. The attacker can extend or truncate the tail of any observation batch without changing future challenges.\n\n  2. **Non-injective squeeze (squeeze)**: `split_32` decomposes each PF rate cell into base-2^64 digits and maps each through `TF::from_u64`, which reduces mod `F::ORDER` (~2^31). Two distinct PF values whose base-2^64 digits differ only in their upper 33 bits produce identical F challenge sequences. This weakens the entropy of sampled challenges and can enable selective forgery when the attacker can influence the sponge state pre-squeeze.\n\n  3. **High-bit truncation (observe Hash/MerkleCap)**: `num_f_elms = PF::bits() / 64` computes the number of F limbs per PF element. For BN254 (254-bit field), this yields 3 limbs covering 192 bits \u2014 the top 62 bits of every digest word are silently discarded. An attacker can find two distinct BN254 hash digests that differ only in bits 192\u2013253 and observe them interchangeably without affecting challenges.\n\n- **Evidence**: In `duplexing()`, the absorb path (`reduce_32` with base 2^32) and the squeeze path (`split_32` with base 2^64) use incompatible radices with no length domain separation. `reduce_32` is a plain Horner fold `acc * 2^32 + digit` with no padding or tag, so trailing zeros are free. `split_32` extracts u64 digits and casts each via `TF::from_u64`, which performs modular reduction, collapsing the top bits. The limb count `PF::bits() / 64` is a floor division that silently drops all bits beyond `64 * num_f_elms` for fields whose bit-width is not a multiple of 64.\n\n### Patches\n\nIncluded in v0.4.3 and v0.5.3",
  "id": "GHSA-vj64-rjf3-w3v7",
  "modified": "2026-06-11T14:05:27Z",
  "published": "2026-05-21T20:24:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Plonky3/Plonky3/security/advisories/GHSA-vj64-rjf3-w3v7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46654"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Plonky3/Plonky3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss"
}

Mitigation MIT-55
Requirements

Require compliance with the strongest-available recommendations from trusted parties, and require that compliance must be kept up-to-date, since recommendations evolve over time. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-267].

Mitigation
Architecture and Design

Ensure that the architecture/design uses the strongest-available primitives and algorithms from trusted parties. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-267].

Mitigation MIT-54
Architecture and Design

Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. As with all cryptographic mechanisms, the source code should be available for analysis. If the algorithm may be compromised when attackers find out how it works, then it is especially weak.

Mitigation
Architecture and Design

Try not to use cryptographic algorithms in novel ways or with new modes of operation even when you "know" it is secure. For example, using SHA-2 chaining to create a 1-time pad for encryption might sound like a good idea, but one should not do this.

Mitigation MIT-52
Architecture and Design

Ensure that the design can replace one cryptographic primitive or algorithm with another in the next generation ("cryptographic agility"). Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. This is especially important for hardware, which can be more difficult to upgrade quickly than software; design the hardware at a replaceable block level.

Mitigation
Architecture and Design

Do not use outdated or non-compliant cryptography algorithms. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong [REF-267].

Mitigation
Architecture and Design Implementation

Do not use a linear-feedback shift register (LFSR) or other legacy methods as a substitute for an accepted and standard Random Number Generator.

Mitigation
Architecture and Design Implementation

Do not use a checksum as a substitute for a cryptographically generated hash.

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use a vetted cryptographic library or framework. Industry-standard implementations will save development time and are more likely to avoid errors that can occur during implementation of cryptographic algorithms. However, the library/framework could be used incorrectly during implementation.

Mitigation
Architecture and Design Implementation

When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for the prevention of common attacks.

Mitigation
Architecture and Design Implementation

Do not store keys in areas accessible to untrusted agents. Carefully manage and protect the cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography algorithm is irrelevant.

CAPEC-97: Cryptanalysis

Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).