Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
0.5
Rust `keccak` Crate May Cause Potential Future Errors on ARMv8
GHSA-3288-p39f-rqpv
Summary
A non-critical issue was fixed in the `keccak` crate, which may potentially cause problems in future versions of Rust. This affects users who use the ARMv8 assembly backend, but the impact is currently unknown. The issue has been resolved and the affected versions of the crate have been removed from public access.
What to do
- Update keccak to version 0.1.6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | keccak | <= 0.1.6 | 0.1.6 |
Original title
Unsoundness in opt-in ARMv8 assembly backend for `keccak`
Original description
### Summary
The `asm!` block enabled by the off-by-default `asm` feature, when enabled on ARMv8 targets, misspecified the operand
type for all of its operands, using `in` for pointers and values which were subsequently mutated by operations performed
within the assembly block.
### Impact
It's unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined
behavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still
exists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.
### Mitigation
The operand types were changed from `in` to `inout`, and the impacted versions of the `keccak` crate were yanked.
The `asm!` block enabled by the off-by-default `asm` feature, when enabled on ARMv8 targets, misspecified the operand
type for all of its operands, using `in` for pointers and values which were subsequently mutated by operations performed
within the assembly block.
### Impact
It's unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined
behavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still
exists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.
### Mitigation
The operand types were changed from `in` to `inout`, and the impacted versions of the `keccak` crate were yanked.
ghsa CVSS4.0
0.5
Vulnerability type
CWE-758
Published: 19 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026