CVE-2026-46654

Description

Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in versions 0.4.3 and 0.5.3.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

High

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

High

Availability (Subsequent System)

None

Affected products

Plonky3 / Plonky3< 0.4.3 – < 0.4.3
Plonky3 / Plonky3>= 0.5.0, < 0.5.3 – >= 0.5.0, < 0.5.3

References

VENDOR_ADVISORYhttps://github.com/Plonky3/Plonky3/security/advisories/GHSA-vj64-rjf3-w3v7