CVE-2025-46723 (GCVE-0-2025-46723)
Vulnerability from cvelistv5 – Published: 2025-05-02 22:18 – Updated: 2025-05-06 14:37
VLAI?
Title
OpenVM byte decomposition of pc in AUIPC chip can overflow
Summary
OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highest limb of pc being range checked to 8-bits instead of 6-bits. This results in the if statement never being triggered because the enumeration gives i=0,1,2, when instead the enumeration should give i=1,2,3, leaving pc_limbs[3] range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the pc_limbs decomposition differs from the true pc, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow the BabyBear field. This issue has been patched in version 1.1.0.
Severity ?
CWE
- CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openvm-org | openvm |
Affected:
= 1.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T13:47:21.220851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T14:37:52.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openvm",
"vendor": "openvm-org",
"versions": [
{
"status": "affected",
"version": "= 1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highest limb of pc being range checked to 8-bits instead of 6-bits. This results in the if statement never being triggered because the enumeration gives i=0,1,2, when instead the enumeration should give i=1,2,3, leaving pc_limbs[3] range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the pc_limbs decomposition differs from the true pc, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow the BabyBear field. This issue has been patched in version 1.1.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "CWE-131: Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T22:18:55.696Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openvm-org/openvm/security/advisories/GHSA-jf2r-x3j4-23m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openvm-org/openvm/security/advisories/GHSA-jf2r-x3j4-23m7"
},
{
"name": "https://github.com/openvm-org/openvm/commit/68da4b50c033da5603517064aa0a08e1bbf70a01",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openvm-org/openvm/commit/68da4b50c033da5603517064aa0a08e1bbf70a01"
},
{
"name": "https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21",
"tags": [
"x_refsource_MISC"
],
"url": "https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21"
},
{
"name": "https://github.com/openvm-org/openvm/blob/0f94c8a3dfa7536c1231465d1bdee5fc607a5993/extensions/rv32im/circuit/src/auipc/core.rs#L135",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openvm-org/openvm/blob/0f94c8a3dfa7536c1231465d1bdee5fc607a5993/extensions/rv32im/circuit/src/auipc/core.rs#L135"
},
{
"name": "https://github.com/openvm-org/openvm/releases/tag/v1.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openvm-org/openvm/releases/tag/v1.1.0"
}
],
"source": {
"advisory": "GHSA-jf2r-x3j4-23m7",
"discovery": "UNKNOWN"
},
"title": "OpenVM byte decomposition of pc in AUIPC chip can overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46723",
"datePublished": "2025-05-02T22:18:55.696Z",
"dateReserved": "2025-04-28T20:56:09.084Z",
"dateUpdated": "2025-05-06T14:37:52.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-46723\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-02T23:15:16.580\",\"lastModified\":\"2025-05-05T20:54:19.760\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highest limb of pc being range checked to 8-bits instead of 6-bits. This results in the if statement never being triggered because the enumeration gives i=0,1,2, when instead the enumeration should give i=1,2,3, leaving pc_limbs[3] range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the pc_limbs decomposition differs from the true pc, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow the BabyBear field. This issue has been patched in version 1.1.0.\"},{\"lang\":\"es\",\"value\":\"OpenVM es un framework zkVM modular y de alto rendimiento, dise\u00f1ado para la personalizaci\u00f3n y la extensibilidad. En la versi\u00f3n 1.0.0, OpenVM es vulnerable a un desbordamiento debido a la descomposici\u00f3n de bytes de pc en el chip AUIPC. Un error tipogr\u00e1fico provoca que la rama m\u00e1s alta de pc se compruebe a 8 bits en lugar de 6. Esto provoca que la instrucci\u00f3n if nunca se active, ya que la enumeraci\u00f3n devuelve i=0,1,2, cuando deber\u00eda dar i=1,2,3, dejando el rango de pc_limbs[3] comprobado a 8 bits en lugar de 6. Esto genera una vulnerabilidad donde la descomposici\u00f3n de pc_limbs difiere de la verdadera pc, lo que significa que un probador malicioso puede hacer que el registro de destino tome un valor diferente al que dicta la instrucci\u00f3n AUIPC, provocando que la descomposici\u00f3n desborde el campo BabyBear. Este problema se ha corregido en la versi\u00f3n 1.1.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-131\"}]}],\"references\":[{\"url\":\"https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/openvm-org/openvm/blob/0f94c8a3dfa7536c1231465d1bdee5fc607a5993/extensions/rv32im/circuit/src/auipc/core.rs#L135\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/openvm-org/openvm/commit/68da4b50c033da5603517064aa0a08e1bbf70a01\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/openvm-org/openvm/releases/tag/v1.1.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/openvm-org/openvm/security/advisories/GHSA-jf2r-x3j4-23m7\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46723\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-06T13:47:21.220851Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-06T14:37:48.226Z\"}}], \"cna\": {\"title\": \"OpenVM byte decomposition of pc in AUIPC chip can overflow\", \"source\": {\"advisory\": \"GHSA-jf2r-x3j4-23m7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"openvm-org\", \"product\": \"openvm\", \"versions\": [{\"status\": \"affected\", \"version\": \"= 1.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/openvm-org/openvm/security/advisories/GHSA-jf2r-x3j4-23m7\", \"name\": \"https://github.com/openvm-org/openvm/security/advisories/GHSA-jf2r-x3j4-23m7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/openvm-org/openvm/commit/68da4b50c033da5603517064aa0a08e1bbf70a01\", \"name\": \"https://github.com/openvm-org/openvm/commit/68da4b50c033da5603517064aa0a08e1bbf70a01\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21\", \"name\": \"https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/openvm-org/openvm/blob/0f94c8a3dfa7536c1231465d1bdee5fc607a5993/extensions/rv32im/circuit/src/auipc/core.rs#L135\", \"name\": \"https://github.com/openvm-org/openvm/blob/0f94c8a3dfa7536c1231465d1bdee5fc607a5993/extensions/rv32im/circuit/src/auipc/core.rs#L135\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/openvm-org/openvm/releases/tag/v1.1.0\", \"name\": \"https://github.com/openvm-org/openvm/releases/tag/v1.1.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highest limb of pc being range checked to 8-bits instead of 6-bits. This results in the if statement never being triggered because the enumeration gives i=0,1,2, when instead the enumeration should give i=1,2,3, leaving pc_limbs[3] range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the pc_limbs decomposition differs from the true pc, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow the BabyBear field. This issue has been patched in version 1.1.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-131\", \"description\": \"CWE-131: Incorrect Calculation of Buffer Size\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-02T22:18:55.696Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-46723\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-06T14:37:52.764Z\", \"dateReserved\": \"2025-04-28T20:56:09.084Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-02T22:18:55.696Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…