RustCrypto CMOV offers conditional move CPU intrinsics intended to execute in constant‑time, ensuring that the compiler does not replace them with branching. Prior to version 0.4.4, compiling this crate for the thumbv6m-none-eabi target (Cortex M0, M0+, and M1) resulted in non‑constant‑time assembly for the cmovnz operation, violating the constant‑time guarantee and creating a data‑dependent timing side‑channel. This flaw permits an attacker who can observe execution timings to infer secret data processed by the intrinsic, potentially compromising cryptographic operations that rely on CMOV for confidentiality.

The affected product is the RustCrypto utils crate, specifically the CMOV component. Versions before 0.4.4 compiled for the thumbv6m-none-eabi target are vulnerable. The vulnerability manifests on Cortex M0, M0+, and M1 silicon where the compiler emits insecure assembly. Upgrading to version 0.4.4 or later resolves the issue.

The CVSS score of 8.9 indicates high severity, while the EPSS score of less than 1% shows that exploitation is likely rare, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker who can run the vulnerable code and accurately measure execution time, either locally or via a remote timing oracle. If successful, the attacker can reconstruct confidential data processed by the CMOV operations. The lack of observable branching in the original design amplifies the risk of covert channel leakage.