{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90446?format=json","vulnerability_id":"VCID-zktq-z4re-wqga","summary":"Triton VM has a Soundness Vulnerability due to Improper Sampling of Randomness\nIn affected versions of Triton VM, the verifier failed to correctly sample randomness in the FRI sub-protocol.\n\nMalicious provers can exploit this to craft proofs for arbitrary statements that this verifier accepts as valid, undermining soundness.\n\nProtocols that rely on proofs and the supplied verifier of the affected versions of Triton VM are completely broken. Protocols implementing their own verifier might be unaffected.\n\nThe flaw was corrected in commit 3a045d63, where the relevant randomness is sampled correctly.","aliases":[{"alias":"GHSA-rjr4-v43m-pxq6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/514671?format=json","purl":"pkg:cargo/triton-vm@2.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/triton-vm@2.0.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/514670?format=json","purl":"pkg:cargo/triton-vm@0.41.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zktq-z4re-wqga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/triton-vm@0.41.0"}],"references":[{"reference_url":"https://github.com/TritonVM/triton-vm","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TritonVM/triton-vm"},{"reference_url":"https://github.com/TritonVM/triton-vm/commit/3a045d636e97bb2eb628671db0001aa665c19dd8","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TritonVM/triton-vm/commit/3a045d636e97bb2eb628671db0001aa665c19dd8"},{"reference_url":"https://github.com/TritonVM/triton-vm/releases/tag/v2.0.0","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TritonVM/triton-vm/releases/tag/v2.0.0"},{"reference_url":"https://rustsec.org/advisories/RUSTSEC-2026-0004.html","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rustsec.org/advisories/RUSTSEC-2026-0004.html"},{"reference_url":"https://github.com/advisories/GHSA-rjr4-v43m-pxq6","reference_id":"GHSA-rjr4-v43m-pxq6","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rjr4-v43m-pxq6"}],"weaknesses":[{"cwe_id":330,"name":"Use of Insufficiently Random Values","description":"The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers."}],"exploits":[],"severity_range_score":"0.1 - 3","exploitability":"0.5","weighted_severity":"2.7","risk_score":1.4,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zktq-z4re-wqga"}