CVE Details
Basic Information
| Title | RISC Zero Underconstrained Vulnerability: Division |
|---|---|
| Type | cve |
| Published | 2025-08-05T23:35:09.208Z |
| Modified | 2025-08-05T23:35:09.208Z |
Product Information
| Vendor | risc0 |
|---|---|
| Product | risc0 |
| Version | >= 2.0.0, < 2.2.0 |
CVSS Information
| Base Score | 2.7 (LOW) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U |
AI Analysis
| AI Description | This vulnerability affects the RISC Zero platform, where signed integer division can produce multiple outputs for certain inputs and division by zero is underconstrained. These issues are fixed in later versions of the affected packages. |
|---|---|
| AI Severity | Low |
| AI Vendor | RISC Zero Project |
| AI Product | RISC Zero |
| AI Version | 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0 |
Affected Products
- risc0 risc0 >= 2.0.0, < 2.2.0
Additional Information
| CWE List | CWE-369 |
|---|---|
| Source | GitHub_M |
Description
RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed integer division allows multiple outputs for certain inputs with only one being valid, and division by zero results are underconstrained. This issue is fixed in risc0-zkvm version 2.2.0 and version 3.0.0 for the risc0-circuit-rv32im and risc0-circuit-rv32im-sys packages.