Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. keccak
  4. ›
  5. GHSA-3288-p39f-rqpv

GHSA-3288-p39f-rqpv: Unsoundness in opt-in ARMv8 assembly backend for `keccak`

February 19, 2026

The asm! block enabled by the off-by-default asm feature, when enabled on ARMv8 targets, misspecified the operand type for all of its operands, using in for pointers and values which were subsequently mutated by operations performed within the assembly block.

References

  • github.com/RustCrypto/sponges
  • github.com/RustCrypto/sponges/commit/7ac1920198ebb7d0192e6d2c3581e15b38a6e0e5
  • github.com/RustCrypto/sponges/pull/101
  • github.com/advisories/GHSA-3288-p39f-rqpv
  • rustsec.org/advisories/RUSTSEC-2026-0012.html

Code Behaviors & Features

Detect and mitigate GHSA-3288-p39f-rqpv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.1.6

Fixed versions

  • 0.1.6

Solution

Upgrade to version 0.1.6 or above.

Impact 2.9 LOW

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Source file

cargo/keccak/GHSA-3288-p39f-rqpv.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Fri, 20 Feb 2026 12:19:53 +0000.