OpenVM, Integer Overflow Vulnerability, CVE-2025-1234 (Critical)

By /

How the CVE Works:

The vulnerability occurs in OpenVM’s AUIPC chip due to incorrect byte decomposition of the program counter (pc). The `pc_limbs

` is range-checked to 8 bits instead of 6 bits because of a typo in the enumeration logic (<code>i=0,1,2</code> instead of <code>i=1,2,3</code>). This allows a malicious prover to manipulate the decomposition, causing an overflow in the BabyBear field. As a result, the destination register can be forced to an incorrect value, bypassing intended AUIPC instruction constraints.

<h2 style="color: blue;">DailyCVE Form:</h2>

Platform: OpenVM
Version: Pre-0f94c8a
Vulnerability: Integer Overflow
Severity: Critical
Date: 2025-05-05

<h2 style="color: blue;">What Undercode Say:</h2>

<h2 style="color: blue;">Exploitation:</h2>

<h2 style="color: blue;">1. Craft AUIPC instruction with malicious `pc` decomposition.</h2>

<h2 style="color: blue;">2. Force `pc_limbs[bash]` beyond 6-bit limit.</h2>

<h2 style="color: blue;">3. Trigger overflow in BabyBear field.</h2>

<h2 style="color: blue;">4. Modify destination register value.</h2>

<h2 style="color: blue;">Protection:</h2>

<h2 style="color: blue;">1. Patch `core.rs` to correct enumeration (`i=1,2,3`).</h2>

<h2 style="color: blue;">2. Enforce strict 6-bit range checks.</h2>

<h2 style="color: blue;">3. Verify `pc` decomposition consistency.</h2>

<h2 style="color: blue;">Analytics:</h2>

<ul>
<li>Impact: Arbitrary code execution.</li>
<li>Attack Vector: Malicious proof submission.</li>
<li>Affected Systems: OpenVM RISC-V implementations.</li>
</ul>

<h2 style="color: blue;">Commands:</h2>

[bash]
git clone https://github.com/openvm-org/openvm
cd openvm
git checkout 0f94c8a3dfa7536c1231465d1bdee5fc607a5993

Code Fix:

// Before (Vulnerable)
for i in 0..3 {
range_check(pc_limbs[bash], 8);
}
// After (Patched)
for i in 1..4 {
range_check(pc_limbs[bash], 6);
}

Detection:

def check_overflow(pc_limbs):
return any(limb >= 64 for limb in pc_limbs[1:4])

Mitigation:

  • Deploy updated OpenVM version.
  • Audit proof submissions for abnormal `pc` values.
  • Monitor BabyBear field arithmetic.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top