GHSA-3288-p39f-rqpv: Unsoundness in opt-in ARMv8 assembly backend for `keccak`

February 19, 2026

The asm! block enabled by the off-by-default asm feature, when enabled on ARMv8 targets, misspecified the operand type for all of its operands, using in for pointers and values which were subsequently mutated by operations performed within the assembly block.

References

github.com/RustCrypto/sponges
github.com/RustCrypto/sponges/commit/7ac1920198ebb7d0192e6d2c3581e15b38a6e0e5
github.com/RustCrypto/sponges/pull/101
github.com/advisories/GHSA-3288-p39f-rqpv
rustsec.org/advisories/RUSTSEC-2026-0012.html

Code Behaviors & Features

Detect and mitigate GHSA-3288-p39f-rqpv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →