Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
CVE-2026-46654

8.9HIGH

Key Information:

Vendor: Plonky3
Status: Plonky3
Vendor: CVE Published:; 10 June 2026

What is CVE-2026-46654?

Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in versions 0.4.3 and 0.5.3.

Affected Version(s)

Plonky3 < 0.4.3 < 0.4.3

Plonky3 >= 0.5.0, < 0.5.3 < 0.5.0, 0.5.3

References

https://github.com/Plonky3/Plonky3/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
May 15, 2026

CVE-2026-46654 Data

JSON