RUSTSEC-2026-0012

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0012
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0012.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0012
Published
2026-02-12T12:00:00Z
Modified
2026-02-17T22:17:21.765637Z
Summary
Unsoundness in opt-in ARMv8 assembly backend for `keccak`
Details

Summary

The asm! block enabled by the off-by-default asm feature, when enabled on ARMv8 targets, misspecified the operand type for all of its operands, using in for pointers and values which were subsequently mutated by operations performed within the assembly block.

Impact

It's unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined behavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still exists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.

Mitigation

The operand types were changed from in to inout, and the impacted versions of the keccak crate were yanked.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / keccak

Package

Name
keccak
View open source insights on deps.dev
Purl
pkg:cargo/keccak

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.1.6

Ecosystem specific 

{
    "affects": {
        "functions": [],
        "os": [],
        "arch": []
    },
    "affected_functions": null
}

Database specific

source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0012.json"
categories 
[
    "crypto-failure"
]
cvss 
null
informational 
"unsound"