RUSTSEC-2026-0004

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0004

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0004.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2026-0004

Aliases

GHSA-rjr4-v43m-pxq6

Published

2026-01-21T12:00:00Z

Modified

2026-01-23T06:11:15.375905Z

Summary

Triton VM Soundness Vulnerability due to Improper Sampling of Randomness

Details

In affected versions of Triton VM, the verifier failed to correctly sample randomness in the FRI sub-protocol.

Malicious provers can exploit this to craft proofs for arbitrary statements that this verifier accepts as valid, undermining soundness.

Protocols that rely on proofs and the supplied verifier of the affected versions of Triton VM are completely broken. Protocols implementing their own verifier might be unaffected.

The flaw was corrected in commit 3a045d63, where the relevant randomness is sampled correctly.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / triton-vm

Package

Name: triton-vm; View open source insights on deps.dev
Purl: pkg:cargo/triton-vm

Affected ranges

Type: SEMVER
Events: Introduced

0.41.0

Fixed

2.0.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "arch": [],
        "functions": [
            "triton_vm::verify"
        ],
        "os": []
    }
}

Database specific

informational

null

cvss

null

source

"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0004.json"