CVE-2025-46723
Description
OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highest limb of pc being range checked to 8-bits instead of 6-bits. This results in the if statement never being triggered because the enumeration gives i=0,1,2, when instead the enumeration should give i=1,2,3, leaving pc_limbs[3] range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the pc_limbs decomposition differs from the true pc, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow the BabyBear field. This issue has been patched in version 1.1.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openvmcrates.io | >= 1.0.0, < 1.1.0 | 1.1.0 |
Patches
268da4b50c033fix: auipc range check `pc_limbs[3]` to 6-bits
1 file changed · +3 −2
extensions/rv32im/circuit/src/auipc/core.rs+3 −2 modified@@ -129,8 +129,9 @@ where need_range_check.push(limb.into()); } + assert_eq!(pc_limbs.len(), RV32_REGISTER_NUM_LIMBS); // pc_limbs[0] is already range checked through rd_data[0] - for (i, limb) in pc_limbs.iter().skip(1).enumerate() { + for (i, limb) in pc_limbs.iter().enumerate().skip(1) { if i == pc_limbs.len() - 1 { // Range check the most significant limb of pc to be in [0, 2^{PC_BITS-(RV32_REGISTER_NUM_LIMBS-1)*RV32_CELL_BITS}) need_range_check.push( @@ -242,7 +243,7 @@ where need_range_check.push(limb); } - for (i, limb) in pc_limbs.iter().skip(1).enumerate() { + for (i, limb) in pc_limbs.iter().enumerate().skip(1) { if i == pc_limbs.len() - 1 { need_range_check.push((*limb) << (pc_limbs.len() * RV32_CELL_BITS - PC_BITS)); } else {
6a5d93dba64bVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-jf2r-x3j4-23m7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46723ghsaADVISORY
- cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21nvdWEB
- github.com/openvm-org/openvm/blob/0f94c8a3dfa7536c1231465d1bdee5fc607a5993/extensions/rv32im/circuit/src/auipc/core.rsnvdWEB
- github.com/openvm-org/openvm/commit/68da4b50c033da5603517064aa0a08e1bbf70a01nvdWEB
- github.com/openvm-org/openvm/releases/tag/v1.1.0nvdWEB
- github.com/openvm-org/openvm/security/advisories/GHSA-jf2r-x3j4-23m7nvdWEB
News mentions
0No linked articles in our index yet.