GHSA-q29p-9pfr-j652: libcrux-sha3: Incorrect output from SHAKE squeeze functions

March 26, 2026

The incremental squeeze functions in the portable SHAKE XOF API, when attempting to squeeze more than RATE (168 for SHAKE128, 136 for SHAKE256) bytes, performed an additional permutation of the state before producing the first output block, thus discarding the first block of RATE bytes of valid XOF output.

References

github.com/advisories/GHSA-q29p-9pfr-j652
github.com/cryspen/libcrux
github.com/cryspen/libcrux/pull/1352
rustsec.org/advisories/RUSTSEC-2026-0074.html

Code Behaviors & Features

Detect and mitigate GHSA-q29p-9pfr-j652 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →