CVE-2025-46723: 
Rust vulnerability analysis and mitigation

OpenVM, a performant and modular zkVM framework designed for customization and extensibility, was found to contain a critical vulnerability (CVE-2025-46723) in version 1.0.0, discovered on May 2, 2025. The vulnerability affects the AUIPC chip implementation and has been assigned a CVSS v4.0 score of 7.8 (HIGH) (NVD, GitHub Advisory).

The vulnerability occurs in the AUIPC chip constraints where an enumeration error in the code causes the highest limb of pc to be incorrectly range checked. The issue manifests because the enumeration gives i=0,1,2 when it should give i=1,2,3, resulting in pc_limbs[3] being range checked to 8-bits instead of the required 6-bits. This occurs due to incorrect ordering of enumerate and skip operations in the code (GitHub Advisory).

The vulnerability allows the pc_limbs decomposition to differ from the true pc value. This discrepancy enables a malicious prover to manipulate the destination register to take a different value than what the AUIPC instruction specifies by causing the decomposition to overflow the BabyBear field (GitHub Advisory, Wiz).

The vulnerability has been patched in OpenVM version 1.1.0. All users are strongly recommended to update to this version immediately. The fix involves correcting the enumeration logic in the AUIPC chip constraints (GitHub Release).