VDB
CVE-2026-23519
CVE-2026-23519
PUBLISHED
CVSS 8.899999618530273 HIGH
RustCrypto Utilities cmov: `thumbv6m-none-eabi` compiler emits non-constant time assembly when using `cmovnz`
EPSS 0.04% · 11.0th percentile
Risk Scores
CVSS v4.0
8.899999618530273
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
EPSS Score
0.04%
11.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| RustCrypto | utils | < 0.4.4, < 0.4.4 |
| crates.io | cmov | 0, 0 |
| rustcrypto | cmov | 0, 0 |
Timeline
- Jan 14, 2026 CVE Published
- Jan 14, 2026 PoC Published
- Jan 16, 2026 EPSS Score
- Jan 19, 2026 EPSS Score
- Jan 22, 2026 EPSS Score
- Jan 23, 2026 CVE Updated
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 25, 2026 EPSS Score
- Jan 27, 2026 EPSS Score
- Jan 30, 2026 EPSS Score
References
- https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp url
- https://github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-23519 advisory
- https://github.com/RustCrypto/utils package
- https://rustsec.org/advisories/RUSTSEC-2026-0003.html url