CVE-2026-23519CRITICAL 9.8EPSS p38.7%

CVE-2026-23519CVE-2026-23519

Description

RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 38.7% · 2026-06-19T12:03:05Z
Published2026-01-15
Last modified2026-01-23

Underlying weaknesses· 2

CWE-208CWE-203

References

  1. https://github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778
  2. https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp
  3. https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp

2

TypeTargetConfidenceTier
WeaknessObservable Discrepancycwe-2030%live
WeaknessObservable Timing Discrepancycwe-2080%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41681
CVE
CVE-2025-48751
CVE
CVE-2026-41676
CVE
CVE-2026-41898
CVE
CVE-2025-48752
CVE
CVE-2025-61732
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.