CVE-2023-44378

CVE-2023-44378 is a high-severity vulnerability in Consensys Gnark with a CVSS 3.x base score of 7.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-191.

Key facts

Description

gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second decomposition for `a+r` (where `r` is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined. Upgrading to version 0.9.0 should fix the issue without needing to change the calls to value comparison methods.

Frequently asked questions

What is CVE-2023-44378?
gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second decomposition for `a+r` (where `r` is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined. Upgrading to version 0.9.0 should fix the issue without needing to change the calls to value comparison methods.
How severe is CVE-2023-44378?
CVE-2023-44378 has a CVSS 3.x base score of 7.1, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
Is CVE-2023-44378 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (13th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-44378?
CVE-2023-44378 affects Consensys Gnark. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-44378?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
When was CVE-2023-44378 published?
CVE-2023-44378 was published on 2023-10-09 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Consensys Gnark

All CVEs affecting Consensys Gnark →

Other CWE-191 (Integer Underflow) vulnerabilities

Browse all CWE-191 (Integer Underflow) vulnerabilities →