What is the severity of CVE-2026-23519?

CVE-2026-23519 has a severity rating of HIGH with a CVSS base score of 8.9.

CVE-2026-23519 | High Vulnerability in RustCrypto CMOV

Q: What is CVE-2026-23519?

A high-severity vulnerability has been identified in RustCrypto CMOV, affecting versions prior to 0.4.4. This vulnerability allows for non-constant time execution, potentially leading to information leakage. Organizations should prioritize patching immediately.

RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4.

The severity of this vulnerability is classified as high with a CVSS score of 8.9. Risk to organizations includes potential information leakage through non-constant time execution, which can be exploited by attackers. Organizations should prioritize patching immediately.

As of now, no known exploits have been confirmed in the wild, and the vulnerability does not appear in the Known Exploited Vulnerabilities (KEV) catalog. However, the potential for exploitation remains a concern, given the nature of the vulnerability.

Organizations using affected versions should assess their environments for exposure and apply the patch to mitigate risk. The patch is available in version 0.4.4, which should be implemented as soon as possible.

Vulnerability Details

The vulnerability allows for non-constant time execution in certain scenarios, which could lead to data leaks through timing attacks. The CVSS score of 8.9 indicates a high severity, with the vulnerability being exploitable over the network. The affected product is RustCrypto's CMOV component, with the vulnerability present in versions prior to 0.4.4.

Technical Analysis

The root cause of the vulnerability stems from the thumbv6m-none-eabi compiler's behavior, which emits non-constant time assembly when executing the cmovnz instruction. This behavior can lead to potential information leakage in applications that rely on constant-time execution for security.

The attack vector is network-based, with a high attack complexity due to the requirement for precise timing. No user interaction is necessary for exploitation, and the vulnerability impacts confidentiality significantly, while integrity and availability are unaffected.

Risk & Impact Analysis

Organizations utilizing RustCrypto CMOV version prior to 0.4.4 are at risk of timing attacks, which may lead to unauthorized data disclosure. The potential blast radius is significant, as applications leveraging this library may inadvertently expose sensitive information. The urgency for organizations to address this vulnerability is high, given the CVSS score and the impact on confidentiality.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions prior to vendor patch 0.4.4 are affected. Organizations should ensure that they upgrade to this version or later to mitigate the risk associated with this vulnerability.

Mitigation & Remediation

To mitigate this vulnerability, organizations should apply the patch included in RustCrypto CMOV version 0.4.4. For organizations unable to upgrade immediately, implementing configuration hardening and network controls may provide temporary protection. Regular monitoring for any unusual behavior that could indicate exploitation attempts is advisable.

Detection Guidance

Organizations should monitor logs for any anomalies that could suggest attempts to exploit this vulnerability. Behavioral indicators such as unexpected execution times or resource usage may also signal an ongoing attack.

AppSecure Threat Intelligence Insight

This vulnerability highlights the ongoing challenge of achieving constant-time execution in cryptographic libraries. Security teams must remain vigilant against timing attacks and continually assess their applications for vulnerabilities. For further guidance, organizations may find value in reviewing the penetration testing methodology and the importance of implementing robust security practices.

Additionally, reviewing the latest trends in vulnerabilities can be crucial for preemptive measures. Organizations are encouraged to read about vulnerability management programs as part of their ongoing security posture improvement.

Lastly, organizations should consider engaging in regular API penetration testing to ensure their systems are resilient against similar vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-23519: High Vulnerability in RustCrypto CMOV