CVE-2026-23519 | THREATINT

Description

RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4.

PUBLISHED Reserved 2026-01-13 | Published 2026-01-15 | Updated 2026-01-15 | Assigner GitHub_M

HIGH: 8.9CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-208: Observable Timing Discrepancy

Product status

< 0.4.4

affected

References

github.com/.../utils/security/advisories/GHSA-2gqc-6j2q-83qp exploit

github.com/.../utils/security/advisories/GHSA-2gqc-6j2q-83qp

github.com/...ommit/55977257e7c82a309d5e8abfdd380a774f0f9778

cve.org (CVE-2026-23519)

nvd.nist.gov (CVE-2026-23519)

Download JSON