Over the past few months, I’ve been coordinating the disclosure of a new vulnerability that I’ve found. Today is the disclosure date, so I am excited that I can finally talk about what I’ve been working on! The vulnerability has been assigned CVE-2022-37454 and the security advisory is available here.

The vulnerability impacts the eXtended Keccak Code Package (XKCP), which is the “official” SHA-3 implementation by its designers. It also impacts various projects that have incorporated this code, such as the Python and PHP scripting languages.