CVE-2026-23519: RustCrypto Utilities cmov: `thumbv6m-none-eabi` compiler emits non-constant time assembly when using `cmovnz`

January 15, 2026 (updated January 23, 2026)

thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). I did not found any other target with the same behaviour but I did not go through all targets supported by Rust.

References

github.com/RustCrypto/utils
github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778
github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp
github.com/advisories/GHSA-2gqc-6j2q-83qp
nvd.nist.gov/vuln/detail/CVE-2026-23519
rustsec.org/advisories/RUSTSEC-2026-0003.html

Code Behaviors & Features

Detect and mitigate CVE-2026-23519 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →