⚙️ Traces from the dawn of innovation
RustCrypto cmov Flaw Undermined Constant-Time Behavior on Cortex-M0
- What: A flaw in RustCrypto’s cmov crate could cause constant-time code to compile into ordinary branches on ARM Cortex-M0 devices, creating a timing side-channel risk and prompting a patch for CVE-2026-23519.
- Where: ARM Cortex-M0 embedded systems.
- When: After the vulnerability was disclosed and a patch was released.
A disclosed flaw in RustCrypto’s cmov crate revealed a specific but important failure: on ARM Cortex-M0 devices, code meant to run in constant time could be compiled into ordinary branches instead. That changed the security properties developers were relying on and opened the door to timing-based side-channel leakage.
Cortex-M0 Constant-Time Failure
The issue was tied to an LLVM optimization pass and was tracked as CVE-2026-23519. On affected builds, the crate’s conditional-move behavior no longer consistently held to its intended constant-time model. In cryptographic code, that distinction matters. If secret-dependent behavior can be observed indirectly through timing differences, an attacker may be able to infer sensitive information that should never leave the device.
LLVM Optimization and CVE-2026-23519
What makes the bug notable is not that it affected every RustCrypto user everywhere, but that it undermined a guarantee many embedded developers assume is handled once a library is chosen. Cortex-M0 systems are common in constrained and security-sensitive environments, so a compiler-triggered change in execution behavior is more than a performance quirk. It alters the threat model for any software depending on cmov to avoid data-dependent branching.
A patch was released to address the problem, and that is the practical dividing line in this story. Teams shipping Rust-based cryptographic code for Cortex-M0 targets need to know whether they pulled in an affected version and whether their builds relied on the vulnerable behavior. For those cases, updating is not just routine maintenance; it restores a property the code was expected to have in the first place.
Patch and Security Impact
The broader implication is concrete. Cryptographic safety can fail in the gap between source code intent and compiled machine code, especially on narrow hardware targets where low-level behavior matters. This disclosure did not just identify a bug in a crate. It showed that for embedded security work, “constant-time” is only meaningful if it survives the compiler path all the way to the chip.
Did You Know?
RustCrypto is an open-source project that provides cryptographic building blocks for Rust applications.