CVE-2026-40323

HIGH

SP1 V6 Recursion Circuit Row-Count Binding Gap

Title source: cna

Description

SP1 is a zero‑knowledge virtual machine that proves the correct execution of programs compiled for the RISC-V architecture. In versions 6.0.0 through 6.0.2, a soundness vulnerability in the SP1 V6 recursive shard verifier allows a malicious prover to construct a recursive proof from a shard proof that the native verifier would reject. Version 6.1.0 fixes the issue.

References (2)

Scores

CVSS v4 8.9
EPSS 0.0001
EPSS Percentile 1.1%
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Details

CWE
CWE-345 CWE-354
Status published
Products (4)
crates.io/sp1_prover 6.0.0 - 6.1.0crates.io
crates.io/sp1_recursion_circuit 6.0.0 - 6.1.0crates.io
crates.io/sp1_sdk 6.0.0 - 6.1.0crates.io
succinctlabs/sp1 >= 6.0.0, < 6.1.0
Published Apr 18, 2026
Tracked Since Apr 18, 2026