GHSA-434v-x5qv-pmh6: libcrux has All-Zero Key Generation Upon Catastrophic RNG Failure

March 26, 2026

The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found. If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secret key.

References

github.com/advisories/GHSA-434v-x5qv-pmh6
github.com/cryspen/libcrux
github.com/cryspen/libcrux/pull/1349
rustsec.org/advisories/RUSTSEC-2026-0075.html

Code Behaviors & Features

Detect and mitigate GHSA-434v-x5qv-pmh6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →