Incorrect Calculation Affecting libcrux-sha3 package, versions <0.0.8
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-LIBCRUXSHA3-15798046
- published28 Mar 2026
- disclosed4 Mar 2026
- creditUnknown
Introduced: 4 Mar 2026
CVE NOT AVAILABLE CWE-682 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade libcrux-sha3 to version 0.0.8 or higher.
Overview
Affected versions of this package are vulnerable to Incorrect Calculation in the squeeze function of the incremental portable SHAKE XOF API when more than RATE bytes are requested. An attacker can cause incorrect cryptographic output by requesting output exceeding the RATE threshold, potentially undermining the integrity of cryptographic operations that depend on the correct output of the XOF API. This is only exploitable if more than RATE bytes are squeezed from the incremental portable SHAKE XOF API.