AIKIDO-2025-10277
risc0-zkvm is vulnerable to Undefined Behavior
18
Low Risk
This Affects:
risc0-zkvmTL;DR
The vulnerability lies in the sys_read syscall implementation in the v2 kernel of ZKVM. When handling reads larger than 1024 bytes, the kernel splits the read into smaller chunks. However, it fails to properly update the nwords argument (stored in register a4) during this chunking. As a result, the syscall may read beyond the end of the supplied buffer or not read enough data, leading to undefined or unsafe behavior. The fix ensures that the nwords argument (a4) is correctly updated during large read operations. This prevents incorrect read sizes and avoids reading past buffer boundaries. The patch also enhances test coverage to include reads larger than 1024 bytes, which helps detect this issue during testing.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
risc0-zkvm is vulnerable to Undefined Behavior in versions 1.2.0 - 2.0.1.
How to fix this
Upgrade the risc0-zkvm library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant