Skip to main content

CVE-2026-40323

HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-04-14 https://github.com/succinctlabs/sp1 GHSA-63x8-x938-vx33
8.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 18, 2026 - 00:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 00:22 vuln.today
cvss_changed
CVSS changed
Apr 18, 2026 - 00:22 NVD
8.9 (HIGH)
Patch released
Apr 14, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 14, 2026 - 00:37 vuln.today
Analysis Generated
Apr 14, 2026 - 00:30 vuln.today
CVE Published
Apr 14, 2026 - 00:05 nvd
HIGH 8.9

DescriptionGitHub Advisory

Summary

A soundness vulnerability in the SP1 V6 recursive shard verifier allows a malicious prover to construct a recursive proof from a shard proof that the native verifier would reject.

  • Affected versions: >= 6.0.0, <= 6.0.2
  • Not affected: SP1 V5 (all versions)
  • Severity: High

Details

Background

The recursive shard verifier circuit verifies shard proofs inside a recursive proof. Each shard proof includes a jagged PCS opening, which binds trace-shape metadata into a modified commitment and uses that same shape to evaluate the committed polynomials. These two operations must agree on the committed table heights.

The Bug

In the V6 recursion circuit's jagged verifier, the two checks above are served by separate witnesses: a vector of row counts hashed into the modified commitment (commitment side), and a separate witness of prefix sums derived from row and column counts that drives the jagged polynomial evaluator (evaluation side). The prefix sums are observed within the shard verifier.

The consistency check between these two witnesses was missing in the recursion sub-circuit describing the jagged PCS verifier. A malicious prover can therefore supply one trace shape for commitment binding and a different shape for polynomial evaluation.

Potential Impact

The vulnerability applies to both main trace and preprocessed trace metadata. Because preprocessed traces encode circuit structure (selectors, fixed columns, permutation layout), the potential impact extends beyond data forgery to misrepresentation of the circuit itself.

While a demonstration of a full exploit proving arbitrary statements has not been created - since modifying one table's layout incidentally constrains changes to related tables - this barrier is not by design and should not be relied upon. This is considered a soundness violation that is unacceptable regardless of current exploitability.

Why the Native Verifier Is Not Affected

The native shard verifier uses a single jagged PCS verifier object where row counts and evaluation layout are derived from the same data, so the split-witness divergence cannot occur. The recursion circuit's shard-level checks (prefix-sum and total-area assertions) only constrain the evaluation-side parameters, not the commitment-side row counts, so they do not catch the gap.

Mitigation

The fix adds a post-evaluation consistency constraint in the recursive jagged verifier. After the jagged evaluation returns the prefix-sum values derived from the evaluation layout, the circuit reconstructs expected prefix sums from the commitment-side row counts (repeating each row count by its corresponding column count and accumulating). It then asserts element-wise equality between the reconstructed and returned prefix sums, and verifies that the final accumulated area matches the total area from the evaluation parameters.

This forces both witnesses to describe the same trace geometry. Any divergence is now a constraint failure.

Credit

This vulnerability was identified through the SP1 bug bounty program on Code4rena.

AnalysisAI

Soundness violation in SP1 V6 recursive proof verifier enables malicious provers to construct recursive proofs from invalid shard proofs that native verifiers would reject. The vulnerability affects SP1 zkVM versions 6.0.0 through 6.0.2 (Rust crates sp1_sdk, sp1_recursion_circuit, sp1_prover) and allows forgery of zero-knowledge proofs by exploiting missing consistency checks between commitment-side and evaluation-side trace shape witnesses in the jagged PCS verifier circuit. This permits misrepresentation of circuit structure itself, not just data, undermining the fundamental soundness guarantees of the proof system. No public exploit exists at time of analysis, though the vulnerability was identified through SP1's bug bounty program on Code4rena. CVSS 8.9 reflects high integrity impact to both vulnerable and subsequent system components.

Technical ContextAI

SP1 is a zero-knowledge virtual machine (zkVM) that generates recursive STARK proofs. The vulnerability lies in the V6 recursion circuit's implementation of jagged Polynomial Commitment Scheme (PCS) verification. In zkSNARK/STARK systems, PCS bindings ensure that committed polynomials match their evaluations. SP1's jagged PCS handles variable-height trace tables by binding trace shape metadata (row/column counts) into commitments and using those same dimensions during polynomial evaluation. The recursion circuit creates proofs-of-proofs by verifying shard proofs inside larger recursive proofs. The bug stems from CWE-345 (Insufficient Verification of Data Authenticity): the circuit uses separate witnesses for commitment binding (vector of row counts) and polynomial evaluation (prefix sums from row/column counts) without cross-validating them. The native verifier uses a unified object where both operations share the same underlying data, preventing the divergence. Because preprocessed traces encode circuit selectors, fixed columns, and permutation layouts, manipulating trace geometry can misrepresent the circuit's logic itself, not merely the witness data.

RemediationAI

Upgrade immediately to SP1 V6.1.0 or later, released by Succinct Labs at https://github.com/succinctlabs/sp1/releases/tag/v6.1.0. The patched version adds post-evaluation consistency constraints in the recursive jagged verifier: after jagged evaluation returns prefix sums from the evaluation layout, the circuit reconstructs expected prefix sums from commitment-side row counts (repeating each row count by its column count and accumulating), then asserts element-wise equality between reconstructed and returned prefix sums and verifies final accumulated area matches total area from evaluation parameters. This forces both witnesses to describe identical trace geometry, making any divergence a constraint failure. No workarounds exist - the fix requires circuit-level changes. If immediate upgrade is impossible, the only compensating control is to disable recursive proof generation in SP1 V6 deployments and revert to SP1 V5 (confirmed unaffected), though this sacrifices V6 performance improvements and recursive proof capabilities. Side effect: reverting to V5 may break applications depending on V6-specific features. Do not accept recursive proofs generated by V6.0.0-6.0.2 provers in production systems without re-verification using patched verifiers.

Share

CVE-2026-40323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy