EXECUTIVE SUMMARY:
CVE-2026-46654 with a CVSS score of 7.5 is a vulnerability in the Plonky3 MultiField32Challenger, affecting versions of the rust/p3-challenger package prior to 0.4.3 and versions 0.5.0 through 0.5.2. The vulnerability arises from transcript malleability and challenge entropy loss due to the Fiat-Shamir sponge failing to bind challenges to the exact sequence of observed field elements. Specifically, distinct observation streams can produce identical sponge states, and an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. Attackers can exploit this vulnerability using three independent attack vectors: partial-chunk aliasing (absorb), non-injective squeeze (squeeze), and high-bit truncation (observe Hash/MerkleCap), which can enable selective forgery when the attacker can influence the sponge state pre-squeeze. If exploited, this vulnerability can lead to a loss of integrity and confidentiality in the affected system, potentially resulting in significant business impact and consequences. Prerequisites for exploitation include control of prover-side observations and the ability to manipulate the sponge state.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46654 with a CVSS score of 7.5 is a vulnerability in the Plonky3 MultiField32Challenger, affecting versions of the rust/p3-challenger package prior to 0.4.3 and versions 0.5.0 through 0.5.2. The vulnerability arises from transcript malleability and challenge entropy loss due to the Fiat-Shamir sponge failing to bind challenges to the exact sequence of observed field elements. Specifically, distinct observation streams can produce identical sponge states, and an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. Attackers can exploit this vulnerability using three independent attack vectors: partial-chunk aliasing (absorb), non-injective squeeze (squeeze), and high-bit truncation (observe Hash/MerkleCap), which can enable selective forgery when the attacker can influence the sponge state pre-squeeze. If exploited, this vulnerability can lead to a loss of integrity and confidentiality in the affected system, potentially resulting in significant business impact and consequences. Prerequisites for exploitation include control of prover-side observations and the ability to manipulate the sponge state.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-vj64-rjf3-w3v7