CVE-2025-46723

HIGH EPSS 30.2%
Published May 2, 20251y ago · Modified Jun 17, 20261w ago
7.8 CVSS 4.0
High
Find Similar
Published May 2, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highest limb of pc being range checked to 8-bits instead of 6-bits. This results in the if statement never being triggered because the enumeration gives i=0,1,2, when instead the enumeration should give i=1,2,3, leaving pc_limbs[3] range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the pc_limbs decomposition differs from the true pc, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow the BabyBear field. This issue has been patched in version 1.1.0.

CVSS Details

Base Score
7.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
30.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-131

References 5

  • cantina.xyz https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21
  • github.com https://github.com/openvm-org/openvm/blob/0f94c8a3dfa7536c1231465d1bdee5fc607a5993/extensions/rv32im/circuit/src/auipc/core.rs#L135
  • github.com https://github.com/openvm-org/openvm/commit/68da4b50c033da5603517064aa0a08e1bbf70a01
  • github.com https://github.com/openvm-org/openvm/releases/tag/v1.1.0
  • github.com https://github.com/openvm-org/openvm/security/advisories/GHSA-jf2r-x3j4-23m7

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.