GHSA-q29p-9pfr-j652: libcrux-sha3: Incorrect output from SHAKE squeeze functions
highvulnerability
security
Source: GitHub Advisory DatabaseMarch 26, 2026
Summary
A bug in libcrux-sha3's SHAKE squeeze functions (incremental operations that extract output from a cryptographic sponge construction) caused them to skip the first block of data when extracting more than a certain amount (168 bytes for SHAKE128, 136 for SHAKE256). This meant users got incorrect, incomplete output from these functions, though it did not affect the library's use in other systems like libcrux-ml-kem or libcrux-ml-dsa.
Solution / Mitigation
Starting from version 0.0.8, the squeeze functions correctly output all blocks including the first block.
Classification
Attack SophisticationModerate
Affected Packages
libcrux-sha3@< 0.0.8 (fixed: 0.0.8)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-q29p-9pfr-j652
First tracked: March 26, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%