Description
Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in versions 0.4.3 and 0.5.3.
Published: 2026-06-10
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Plonky3, a toolkit for polynomial IOPs, contains a flaw in its MultiField32Challenger that allows an adversary who can influence the prover’s observations to craft two distinct transcripts that generate the same Fiat‑Shamir challenge. This undermines the binding property of the protocol and, if exploited, could let an attacker forge or replay proofs, thereby compromising the integrity of any system that relies on these proofs for security. The weakness is associated with CWE‑1240 (Improper Independence of Random Variables) and CWE‑345 (Missing Integrity Checks).

Affected Systems

All users of Plonky3 versions older than 0.4.3 and 0.5.3 are vulnerable; the issue is fixed in these releases and later ones.

Risk and Exploitability

The CVSS score of 8.9 indicates a high severity. Because the EPSS score is not available, the likelihood of exploitation cannot be quantified, but the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at the time of reporting. The attack vector likely requires the attacker to control or tamper with prover inputs; the description infers that this is a significant but not trivial prerequisite.

Generated by OpenCVE AI on June 10, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Plonky3 0.4.3, 0.5.3, or any newer release to apply the official fix that restores proper challenge entropy and eliminates transcript malleability.
  • If an upgrade cannot be performed immediately, enforce strict validation of prover‑side observation inputs to prevent the creation of malleable transcripts, addressing the root cause identified by CWE‑1240.
  • Restrict access to the prover environment and isolate any untrusted input sources to mitigate the risk of exploiting the issue described by CWE‑345, reducing the potential for internationalization or input manipulation attacks.

Generated by OpenCVE AI on June 10, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vj64-rjf3-w3v7 Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
History

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Plonky3
Plonky3 plonky3
Vendors & Products Plonky3
Plonky3 plonky3

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in versions 0.4.3 and 0.5.3.
Title Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
Weaknesses CWE-1240
CWE-345
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T14:01:57.462Z

Reserved: 2026-05-15T20:11:54.585Z

Link: CVE-2026-46654

cve-icon Vulnrichment

Updated: 2026-06-11T14:01:42.457Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T22:16:59.757

Modified: 2026-06-11T15:36:44.723

Link: CVE-2026-46654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:40:57Z

Weaknesses
  • CWE-1240

    Use of a Cryptographic Primitive with a Risky Implementation

  • CWE-345

    Insufficient Verification of Data Authenticity