Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-3rjw-m598-pq24: Cmov/CmovEq on aarch64 can produce wrong results if high-bits of registers are set

0
Medium
Published: 07/02/2026 (07/02/2026, 17:18:11 UTC)
Source: GCVE Database
Product: cmov

Description

The aarch64 implementations of the Rust crate 'cmov' for the functions Cmov and CmovEq incorrectly handle high bits of registers when loading values smaller than the register size. This causes conditional move operations to produce incorrect results if the high bits are set, due to assumptions about zero-extension that do not hold. The issue affects versions >=0.1.1 and <0.5.4 of the cmov crate. Proof-of-concept tests demonstrate that conditions truncated to smaller types still retain high bits in registers, causing wrong conditional selections. The bug is specific to aarch64 architecture and arises from inline assembly behavior. No known exploits are reported, and the impact depends on how the affected functions are used in calling code.

CVSS v4.0

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
None
Vuln. Integrity
Low
Vuln. Availability
None
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Affected software

crates.ioghsa
cmov
Affected versions
>=0.1.1 <0.5.4

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 23:18:34 UTC

Technical Analysis

The vulnerability in the cmov crate affects the aarch64 backend implementations of Cmov and CmovEq functions. These implementations assume that when loading smaller-than-register-sized values into registers, the upper bits are zero-extended. However, the Rust inline assembly reference states these upper bits are undefined, leading to incorrect conditional move behavior when high bits are set. For example, a condition cast from u32 to u8 may still have high bits set in the register, causing the conditional select (csel) instruction to choose the wrong value. The issue affects versions >=0.1.1 and <0.5.4 of the cmov crate. The problem is demonstrated with failing test cases on aarch64 Linux compiled with Rust 1.94.0. The bug was introduced in the aarch64 backend and relates to how inline assembly operands are handled. The impact is limited to specific usage patterns where narrowing casts mask bits in Rust but not in assembly.

Potential Impact

This vulnerability can cause the Cmov and CmovEq functions on aarch64 to produce incorrect outputs under certain conditions where high bits of registers are set unexpectedly. This may lead to logical errors in software relying on these conditional move operations, potentially causing incorrect program behavior. The impact is limited to the affected versions of the cmov crate on aarch64 platforms and depends on whether the calling code triggers the problematic conditions. There are no reports of known exploits in the wild.

Mitigation Recommendations

No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory or the cmov crate repository for current remediation guidance. Users should avoid relying on the affected versions (>=0.1.1 <0.5.4) of the cmov crate on aarch64 until a fix is released. Review usage of Cmov and CmovEq functions in code to assess potential impact. Consider applying manual workarounds that ensure proper zero-extension of smaller values before passing them to these functions.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-3rjw-m598-pq24
Osv Schema Version
1.4.0
Aliases
["CVE-2026-50185"]
Ecosystems
["crates.io"]
Database Specific Severity
MODERATE
Cvss Version
4.0

Threat ID: 6a46ecc527e9c7971943d837

Added to database: 07/02/2026, 22:57:09 UTC

Last enriched: 07/02/2026, 23:18:34 UTC

Last updated: 07/03/2026, 03:24:20 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses