Nicky Mouha

**Name of the Vulnerable Software and Affected Versions** Keccak XKCP SHA-3 reference implementation versions before fdc6fef **Description** The issue is related to an integer overflow and resultant buffer overflow in the sponge function interface of the Keccak XKCP SHA-3 reference implementation. This allows attackers to execute arbitrary code or eliminate expected cryptographic properties. The problem occurs when partial data with specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more. **Recommendations** To resolve the issue, update the Keccak XKCP SHA-3 reference implementation to a version after fdc6fef. As a temporary workaround, consider limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Alternatively, process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** A denial of service issue exists due to inadequate input validation, allowing attackers to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.