GHSA-rjr4-v43m-pxq6: Triton VM Soundness Vulnerability due to Improper Sampling of Randomness

January 21, 2026 (updated January 22, 2026)

In affected versions of Triton VM, the verifier failed to correctly sample randomness in the FRI sub-protocol.

Malicious provers can exploit this to craft proofs for arbitrary statements that this verifier accepts as valid, undermining soundness.

Protocols that rely on proofs and the supplied verifier of the affected versions of Triton VM are completely broken. Protocols implementing their own verifier might be unaffected.

The flaw was corrected in commit 3a045d63, where the relevant randomness is sampled correctly.

References

github.com/TritonVM/triton-vm
github.com/TritonVM/triton-vm/commit/3a045d636e97bb2eb628671db0001aa665c19dd8
github.com/TritonVM/triton-vm/releases/tag/v2.0.0
github.com/advisories/GHSA-rjr4-v43m-pxq6
rustsec.org/advisories/RUSTSEC-2026-0004.html

Code Behaviors & Features

Detect and mitigate GHSA-rjr4-v43m-pxq6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →