CVE-2025-61588: 
Rust vulnerability analysis and mitigation

CVE-2025-61588 affects RISC Zero, a zero-knowledge verifiable general computing platform based on zk-STARKs and RISC-V microarchitecture. The vulnerability was discovered and disclosed on October 1, 2025, affecting multiple components including risc0-zkvm-platform (versions ≤2.0.2), risc0-aggregation (versions <0.9), risc0-zkos-v1compat (versions <2.1.0), and risc0-zkvm (versions between 3.0.0-rc.1 and 3.0.1) (GitHub Advisory).

The vulnerability occurs when the zkVM guest calls sys_read, allowing the host to use a crafted response to write to an arbitrary memory location in the guest. This vulnerability is classified as a Critical severity issue with a CVSS 4.0 Base Score of 9.3 (CRITICAL) and vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue is categorized under CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability critically compromises the soundness guarantees of the guest program. As sys_read is the mechanism by which input is requested by the guest, all guest programs built with the affected versions are vulnerable to arbitrary code execution within the guest environment (GitHub Advisory).

The vulnerability has been fixed in risc0-zkvm-platform 2.1.0, risc0-zkos-v1compat 2.1.0, risc0-aggregation 0.9, and risc0-zkvm versions 2.3.2 and 3.0.3. The fix was implemented through PR #3351, which removed vulnerable pointer arithmetic and replaced it with a simplified implementation in the v1compat kernel using Rust's slice functions to guarantee memory safety (GitHub PR).