CVE-2026-46654
HighCVSS 8.9Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations could craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir.
Risk Assessment
Organizations using the vulnerable versions may be exposed to attacks that could lead to fraud in processes requiring challenge integrity.
Recommendation
It is recommended to upgrade to versions 0.4.3 or 0.5.3 to mitigate this vulnerability.
Original NVD description (English source)
Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in versions 0.4.3 and 0.5.3.

