CVE-2025-46723 Overview
OpenVM is a modular zero-knowledge virtual machine (zkVM) framework designed for customization and extensibility. Version 1.0.0 contains an integer overflow vulnerability in the byte decomposition logic of the pc register inside the AUIPC chip. A typo in the range-check enumeration causes the highest limb of pc to be range-checked to 8 bits instead of 6 bits. A malicious prover can exploit this flaw to make the destination register accept a value different from what the AUIPC instruction dictates by overflowing the BabyBear field. The OpenVM maintainers patched the issue in version 1.1.0.
Critical Impact
A malicious prover can forge AUIPC instruction outputs in proven program execution, compromising the soundness of zero-knowledge proofs generated by OpenVM 1.0.0.
Affected Products
- OpenVM zkVM framework version 1.0.0
- OpenVM rv32im circuit extension (AUIPC chip)
- Applications relying on OpenVM 1.0.0 for proof generation
Discovery Timeline
- 2025-05-02 - CVE-2025-46723 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-46723
Vulnerability Analysis
The flaw exists in the AUIPC (Add Upper Immediate to PC) chip implementation within the rv32im circuit extension at extensions/rv32im/circuit/src/auipc/core.rs. OpenVM decomposes the program counter into multiple limbs and range-checks each limb to constrain its size. The intent is to check the highest limb (pc_limbs[3]) to 6 bits while the lower limbs are checked to 8 bits. Because of a typo, the enumeration iterates through indices i=0,1,2 instead of i=1,2,3, so the conditional that applies the 6-bit constraint never triggers on the correct limb. As a result, pc_limbs[3] is range-checked to 8 bits.
Root Cause
The root cause is an incorrect resource sizing pattern classified under [CWE-131] (Incorrect Calculation of Buffer Size). The off-by-one enumeration error allows the decomposition of pc to span more bits than the field arithmetic safely supports. Because OpenVM operates over the BabyBear prime field, a four-limb decomposition exceeding the intended bit width can wrap around the field modulus, producing a decomposition that does not equal the true pc value.
Attack Vector
A malicious prover constructs an AUIPC instruction execution where the limb decomposition of pc overflows the BabyBear field. Because the highest limb passes the relaxed 8-bit check, the prover can supply limbs whose reconstructed value differs from the actual program counter. This causes the destination register to hold an attacker-chosen value while still satisfying all proof constraints. The vulnerability undermines the integrity guarantees of zero-knowledge proofs produced by OpenVM 1.0.0 without requiring privileges or user interaction.
No public proof-of-concept code is available. The vulnerability mechanism is documented in the OpenVM security advisory GHSA-jf2r-x3j4-23m7 and the Cantina findings report referenced below.
Detection Methods for CVE-2025-46723
Indicators of Compromise
- Proofs generated by OpenVM 1.0.0 where AUIPC instruction outputs do not match expected program counter arithmetic.
- Destination register values in verified traces that deviate from the deterministic AUIPC computation.
- Use of the vulnerable rv32im circuit extension at commit 0f94c8a3dfa7536c1231465d1bdee5fc607a5993 or earlier.
Detection Strategies
- Audit dependency manifests and lockfiles for OpenVM 1.0.0 and pin to 1.1.0 or later.
- Re-verify historical proofs generated by OpenVM 1.0.0 using a patched verifier where possible.
- Compare AUIPC chip source against the fixed implementation in GitHub Commit 68da4b50.
Monitoring Recommendations
- Track new releases and advisories from the OpenVM Security Advisory feed.
- Log and alert on continuous integration builds that resolve OpenVM to the vulnerable version.
- Review prover infrastructure logs for anomalous AUIPC trace generation patterns.
How to Mitigate CVE-2025-46723
Immediate Actions Required
- Upgrade OpenVM to version 1.1.0 or later as published in the GitHub Release v1.1.0.
- Invalidate and regenerate any proofs produced by OpenVM 1.0.0 in security-sensitive contexts.
- Rebuild and redeploy applications that statically link the vulnerable rv32im circuit extension.
Patch Information
The OpenVM maintainers patched the typo in the AUIPC chip enumeration, restoring the 6-bit range check on pc_limbs[3]. The fix is included in version 1.1.0 and is described in the GitHub Security Advisory GHSA-jf2r-x3j4-23m7. Technical analysis is available in the Cantina Findings Report.
Workarounds
- No supported workaround exists; upgrading to OpenVM 1.1.0 is the only remediation.
- Restrict prover access to trusted parties until the upgrade is completed.
- Disable execution paths that rely on the AUIPC instruction where feasible until patched.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
