High severityOSV Advisory· Published Jan 15, 2026· Updated Jan 15, 2026
RustCrypto cmov: thumbv6m-none-eabi compiler emits non-constant time assembly when using cmovnz
CVE-2026-23519
Description
RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cmovcrates.io | < 0.4.4 | 0.4.4 |
Affected products
4- Range: base64ct-v0.1.0, base64ct-v0.1.1, base64ct-v0.1.2, …
- osv-coords3 versions
< 26.1.4-r2+ 2 more
- (no CPE)range: < 26.1.4-r2
- (no CPE)range: < 26.1.4-r2
- (no CPE)range: < 0.4.4
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-2gqc-6j2q-83qpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23519ghsaADVISORY
- github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778ghsax_refsource_MISCWEB
- github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qpghsax_refsource_CONFIRMWEB
- rustsec.org/advisories/RUSTSEC-2026-0003.htmlghsaWEB
News mentions
0No linked articles in our index yet.