GHSA-3288-p39f-rqpv

Source

https://github.com/advisories/GHSA-3288-p39f-rqpv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3288-p39f-rqpv/GHSA-3288-p39f-rqpv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3288-p39f-rqpv

Aliases

RUSTSEC-2026-0012

Related

CGA-p932-x329-6v22

Published

2026-02-19T15:17:41Z

Modified

2026-02-20T22:44:04.993964Z

Severity

0.5 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Unsoundness in opt-in ARMv8 assembly backend for `keccak`

Details

Summary

The asm! block enabled by the off-by-default asm feature, when enabled on ARMv8 targets, misspecified the operand type for all of its operands, using in for pointers and values which were subsequently mutated by operations performed within the assembly block.

Impact

It's unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined behavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still exists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.

Mitigation

The operand types were changed from in to inout, and the impacted versions of the keccak crate were yanked.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-02-19T15:17:41Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-758"
    ],
    "github_reviewed": true
}

References

Affected packages

crates.io / keccak

Package

Name: keccak; View open source insights on deps.dev
Purl: pkg:cargo/keccak

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3288-p39f-rqpv/GHSA-3288-p39f-rqpv.json"