CVE-2024-50354: 
Linux openSUSE vulnerability analysis and mitigation

gnark, a fast zk-SNARK library that offers a high-level API to design circuits, was found to have a vulnerability in version 0.11.0 and earlier. The vulnerability was discovered on October 31, 2024, affecting the deserialization of Groth16 verification keys (GitHub Advisory).

The vulnerability occurs during the deserialization of Groth16 verification keys, where the code allocates excessive memory based on untrusted input. When processing certain files representing a VerifyingKey, the deserialization process allocates a slice with a length directly extracted from the deserialized file. This can lead to memory allocations of approximately 1TB in some configurations, ultimately triggering a crash with the error 'fatal error: runtime: out of memory' (GitHub Advisory).

The vulnerability can lead to a denial of service (DoS) condition for both prover and verifier when processing maliciously crafted inputs such as public keys or verification keys. The issue results in excessive memory consumption and potential system crashes (GitHub Advisory).

The vulnerability has been patched in PR #1307 and merged to gnark master at commit 47ae846. The fix will be included in the next minor release v0.11.1. For systems that cannot immediately update, it is recommended to run key verification as a separate service which halts the verification pipeline in case of OOM when verification keys come from untrusted sources (GitHub Advisory).