PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50185 RustCrypto CVE debrief

A low-severity vulnerability was found in RustCrypto CMOV, affecting aarch64 implementations of Cmov and CmovEq. The issue, fixed in version 0.5.4, can cause incorrect output when high bits are set in Cmov selectors or operands. This vulnerability has a CVSS score of 2.0 and is considered low-severity. The CVE record was published on 2026-07-17T19:17:16.370Z and has not been modified since then.

Vendor
RustCrypto
Product
utils
CVSS
LOW 2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Developers using RustCrypto CMOV in their projects, especially those targeting aarch64 platforms, should be aware of this vulnerability and take steps to update to version 0.5.4 or later. This includes reviewing and testing affected code, monitoring for potential issues, and confirming whether affected product deployments exist in managed environments.

Technical summary

The aarch64 implementations of Cmov and CmovEq in cmov/src/backends/aarch64.rs assume high bits are zero-extended when loading values smaller than a register. This can cause left.cmovz(&right, condition) to produce incorrect output when high bits are set in Cmov selectors or operands. The issue is fixed in version 0.5.4. The vulnerability has a CVSS score of 2.0, indicating low severity. Affected products using RustCrypto CMOV on aarch64 platforms should be updated to version 0.5.4 or later to mitigate this low-severity vulnerability. Developers should review and test affected code, monitor for potential issues, and confirm whether affected product deployments exist in managed environments.

Defensive priority

Low

Recommended defensive actions

  • Update to version 0.5.4 or later
  • Review and test affected code
  • Monitor for potential issues
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-17T19:17:16.370Z and has not been modified since then. The NVD entry is currently 2.0. This information is based on the official CVE record and NVD detail page. The vulnerability affects aarch64 implementations of Cmov and CmovEq in RustCrypto CMOV. The issue is fixed in version 0.5.4. Developers should review the official advisory for affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T19:17:16.370Z and has not been modified since then.