CVE-2025-61588

Name of the Vulnerable Software and Affected Versions risc0-zkvm-platform versions 2.0.2 and below risc0-aggregation versions below 0.9 risc0-zkos-v1compat versions below 2.1.0 risc0-zkvm versions 3.0.0-rc.1 through 3.0.1

Description The software contains a flaw related to memory safety in the sys read function. When the zkVM guest calls sys read, the host can manipulate the response to write to arbitrary memory locations within the guest. This can lead to arbitrary code execution within the guest environment, compromising the soundness of the guest program. The sys read function is used by the guest to request input, making all guest programs built with affected versions potentially vulnerable. The issue stems from vulnerable pointer arithmetic in the sys read function.

Recommendations risc0-zkvm-platform versions prior to 2.1.0 risc0-aggregation versions prior to 0.9 risc0-zkos-v1compat versions prior to 2.1.0 risc0-zkvm versions 3.0.0-rc.1 through 3.0.1 should be updated to version 2.3.2 or 3.0.3. Update references to risc0-zkvm in Cargo.toml to version specifiers “2.3.2” or “3.0.3”. Update references to risc0-build in Cargo.toml to version specifiers “2.3.2” or “3.0.3”. Rebuild your application, including the guest. Update any applications using the image ID of this guest with the newly built image ID.