RUSTSEC-2026-0207
Incorrect Output of Incremental Portable SHAKE API on Multiple Squeeze Calls
Details
The incremental squeeze functions in the portable SHAKE XOF API, when attempting to squeeze an output using multiple calls to `squeeze`, rather than squeezing the full output at once, could output incorrect values. Internally, output blocks that were not completely squeezed were not buffered for the next call to `squeeze`, which would consequently drop bytes of the correct squeeze output if the preceding call requested an output of length in bytes not cleanly divisible by `RATE` (168 for SHAKE128, 136 for SHAKE256).
## Impact This bug impacts users that rely on this XOF API to squeeze output in multiple calls where any of the calls request an output length that is not divisible by `RATE`. It does not impact the use of libcrux-sha3 in libcrux-ml-kem or libcrux-ml-dsa.
## Mitigation Starting from version `0.0.10` the squeeze functions correctly output all squeezed bytes independent of the number of `squeeze` calls and the output lengths requested in each call.
Are you affected?
Enter the version of the package you're using.
Affected packages
0.0.0-0 Fixed in: 0.0.10 Upgrade libcrux-sha3 to 0.0.10 or newer (ecosystem crates.io).