PatchSiren cyber security CVE debrief
CVE-2026-46654 Plonky3 CVE debrief
CVE-2026-46654 is a high-severity vulnerability in Plonky3, a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in versions 0.4.3 and 0.5.3.
- Vendor
- Plonky3
- Product
- Unknown
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of Plonky3 versions prior to 0.4.3 and 0.5.3 should update to the patched versions to prevent potential attacks.
Technical summary
The vulnerability is caused by the lack of proper validation of prover-side observations, allowing an attacker to craft distinct transcripts that produce identical challenges. This breaks the binding property of Fiat-Shamir, which is a critical component of the Plonky3 toolkit.
Defensive priority
High
Recommended defensive actions
- Update to Plonky3 version 0.4.3 or 0.5.3 or later.
- Review and update any dependent projects or systems that use Plonky3.
Evidence notes
The CVE-2026-46654 vulnerability has been patched in Plonky3 versions 0.4.3 and 0.5.3. Users should update to one of these versions to prevent potential attacks.
Official resources
-
CVE-2026-46654 CVE record
CVE.org
-
CVE-2026-46654 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46654 was published on [2026-06-10T22:16:59.757Z](https://www.cve.org/CVERecord?id=CVE-2026-46654) and modified on [2026-06-11T15:36:44.723Z](https://nvd.nist.gov/vuln/detail/CVE-2026-46654).