AIKIDO-2025-10277
risc0-zkvm is vulnerable to Undefined Behavior
18
Low Risk
This Affects:
risc0-zkvmTL;DR
The vulnerability lies in the sys_read syscall implementation in the v2 kernel of ZKVM. When handling reads larger than 1024 bytes, the kernel splits the read into smaller chunks. However, it fails to properly update the nwords argument (stored in register a4) during this chunking. As a result, the syscall may read beyond the end of the supplied buffer or not read enough data, leading to undefined or unsafe behavior. The fix ensures that the nwords argument (a4) is correctly updated during large read operations. This prevents incorrect read sizes and avoids reading past buffer boundaries. The patch also enhances test coverage to include reads larger than 1024 bytes, which helps detect this issue during testing.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
risc0-zkvm is vulnerable to Undefined Behavior in versions 1.2.0 - 2.0.1.
How to fix this
Upgrade the risc0-zkvm library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant