CVE-2025-61588: 
Rust vulnerability analysis and mitigation

CVE-2025-61588 affects RISC Zero, a zero-knowledge verifiable general computing platform based on zk-STARKs and RISC-V microarchitecture. The vulnerability was discovered in multiple components including risc0-zkvm-platform (versions ≤2.0.2), risc0-aggregation (versions <0.9), risc0-zkos-v1compat (versions <2.1.0), and risc0-zkvm (versions between 3.0.0-rc.1 and 3.0.1). The issue was disclosed on October 1, 2025, and has been assigned a CVSS v4.0 base score of 9.3 (CRITICAL) (GitHub Advisory).

The vulnerability occurs when the zkVM guest calls sys_read, allowing the host to use a crafted response to write to an arbitrary memory location in the guest. This memory safety failure stems from vulnerable pointer arithmetic in the implementation. The issue has been classified as CWE-94 (Improper Control of Generation of Code) and received a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD).

The vulnerability critically compromises the soundness guarantees of the guest program by enabling arbitrary code execution within the guest. As sys_read is the primary mechanism for input requests by the guest, all guest programs built with the affected versions are vulnerable (GitHub Advisory).

The vulnerability has been fixed in risc0-zkvm-platform 2.1.0, risc0-zkos-v1compat 2.1.0, risc0-aggregation 0.9, and risc0-zkvm versions 2.3.2 and 3.0.3. The fix involves removing vulnerable pointer arithmetic and implementing a simplified version in the v1compat kernel using Rust's slice functions to guarantee memory safety. Developers should update their zkVM applications to use risc0-zkvm versions ^2.3.2 or ^3.0.3 and ensure risc0-zkvm-platform is at version 2.1.0 or later (GitHub Advisory).