{"id":"RUSTSEC-2026-0012","summary":"Unsoundness in opt-in ARMv8 assembly backend for `keccak`","details":"### Summary\n\nThe `asm!` block enabled by the off-by-default `asm` feature, when enabled on ARMv8 targets, misspecified the operand\ntype for all of its operands, using `in` for pointers and values which were subsequently mutated by operations performed\nwithin the assembly block.\n\n### Impact\n\nIt's unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined\nbehavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still\nexists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.\n\n### Mitigation\n\nThe operand types were changed from `in` to `inout`, and the impacted versions of the `keccak` crate were yanked.","aliases":["GHSA-3288-p39f-rqpv"],"modified":"2026-02-20T04:00:15Z","published":"2026-02-12T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/keccak"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0012.html"},{"type":"WEB","url":"https://github.com/RustCrypto/sponges/pull/101"}],"affected":[{"package":{"name":"keccak","ecosystem":"crates.io","purl":"pkg:cargo/keccak"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.1.6"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"informational":"unsound","categories":["crypto-failure"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0012.json","cvss":null}}],"schema_version":"1.7.3"}