`fold (xor (shl 1, x), -1) -> (rotl ~1, x)` misoptimization in zksolc
Description
zksolc compiler misoptimization in LLVM fold leads to incorrect constant generation for bitwise operations; fixed in version 1.5.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
zksolc compiler misoptimization in LLVM fold leads to incorrect constant generation for bitwise operations; fixed in version 1.5.3.
Vulnerability
A misoptimization in LLVM's DAGCombiner, present in all LLVM versions since 2015, incorrectly folds (xor (shl 1, x), -1) to (rotl ~1, x) when optimizations are enabled [1]. In the context of zksolc (the Solidity compiler for ZKsync), the constant ~1 is generated as an unsigned 64-bit number (2^64-1) and then zero-extended to 256 bits on the EraVM target, whereas it should have been sign-extended. This results in the compiler producing rotl 2^64 - 1, x instead of the correct rotl 2^256 - 1, x. The bug is reproducible in Solidity with the pattern uint256 bit = 1 << index; data &= ~bit; [2]. All versions of zksolc prior to 1.5.3 are affected.
Exploitation
An attacker would need to deploy a smart contract that contains the vulnerable bitwise pattern and is compiled with an affected version of zksolc with optimizations enabled. The attacker would then rely on the incorrect constant to cause unintended behavior in the contract's logic. However, analysis by the zksolc maintainers has confirmed that no contracts were affected by the date of publishing this advisory [2].
Impact
Successful exploitation could lead to incorrect results in bitwise operations, potentially causing logic errors in contracts that depend on clearing specific bits. The impact is limited to contracts that use the exact vulnerable pattern and are compiled with optimizations. No remote code execution or data disclosure is possible; the vulnerability is a compiler bug that produces wrong bytecode.
Mitigation
The issue has been fixed in zksolc version 1.5.3 [2]. Users are advised to upgrade to this version and redeploy all contracts. There are no known workarounds for this vulnerability; upgrading and redeploying is the only remedy.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22- osv-coords20 versionspkg:deb/ubuntu/llvm-toolchain-10pkg:deb/ubuntu/llvm-toolchain-11pkg:deb/ubuntu/llvm-toolchain-12pkg:deb/ubuntu/llvm-toolchain-13pkg:deb/ubuntu/llvm-toolchain-14pkg:deb/ubuntu/llvm-toolchain-15pkg:deb/ubuntu/llvm-toolchain-16pkg:deb/ubuntu/llvm-toolchain-17pkg:deb/ubuntu/llvm-toolchain-18pkg:deb/ubuntu/llvm-toolchain-3.5pkg:deb/ubuntu/llvm-toolchain-3.6pkg:deb/ubuntu/llvm-toolchain-3.7pkg:deb/ubuntu/llvm-toolchain-3.8pkg:deb/ubuntu/llvm-toolchain-3.9pkg:deb/ubuntu/llvm-toolchain-4.0pkg:deb/ubuntu/llvm-toolchain-5.0pkg:deb/ubuntu/llvm-toolchain-6.0pkg:deb/ubuntu/llvm-toolchain-7pkg:deb/ubuntu/llvm-toolchain-8pkg:deb/ubuntu/llvm-toolchain-9
>= 0+ 19 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- Range: < 1.5.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The LLVM compiler incorrectly folds a bitwise XOR operation with a left shift into a rotate left operation with an incorrect immediate value when targeting the EraVM."
Attack vector
This vulnerability is triggered when the zksolc compiler, using an affected LLVM version with optimizations enabled, compiles Solidity code. Specifically, the LLVM optimization `(xor (shl 1, x), -1)` is folded into `(rotl ~1, x)`. The issue arises because the immediate value `~1` is zero-extended to 256 bits instead of being sign-extended for the EraVM target, leading to an incorrect rotation amount. No specific user interaction is described, but the compilation process itself is the attack vector.
Affected code
The vulnerability lies within the LLVM compiler's `DAGCombiner` pass, specifically in the `visitXOR` function. The problematic optimization folds the expression `(xor (shl 1, x), -1)` into `(rotl ~1, x)`. This transformation is detailed in the LLVM project commit `e48237df95b49a36b8ffceb78c8a58f4be1b4344` [ref_id=1].
What the fix does
The vulnerability was addressed in zksolc version 1.5.3. The patch, found in the LLVM project at commit `e48237df95b49a36b8ffceb78c8a58f4be1b4344`, modifies the `DAGCombiner::visitXOR` function. It corrects the folding of the `(xor (shl 1, x), -1)` pattern to ensure the correct immediate value is used for the `ROTL` operation when targeting specific architectures like EraVM, preventing the incorrect zero-extension.
Preconditions
- configThe zksolc compiler must be using an LLVM version affected by the optimization bug.
- configLLVM optimizations must be enabled during the compilation process.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/llvm/llvm-project/commit/e48237df95b49a36b8ffceb78c8a58f4be1b4344mitrex_refsource_MISC
- github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-fpx7-8vc6-frjjmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.