DevinProtection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.
How AI Introduced This
Devin AI directly contributed by creating the new ML-KEM implementation file `wolfcrypt/src/wc_mlkem.c` with the same shared-buffer `rho`/`sigma` seed-pointer design that the fix later hardens with separate storage and integrity checks. Even though the pattern existed earlier in human-authored Kyber code, this AI-authored reimplementation was a new vulnerable code path and part of the causal chain for the CVE.
▶Attribution Chain
▶Bug-Introducing Commits(1)
Update Kyber APIs to ML-KEM APIs
Deep Verification
by GPT-5.4This AI-authored commit created `wolfcrypt/src/wc_mlkem.c` and introduced `wc_MlKemKey_MakeKeyWithRandom()` with `byte buf[2 * KYBER_SYM_SZ + 1]; byte* rho = buf; byte* sigma = buf + KYBER_SYM_SZ;`, then passed `sigma` into noise/keygen routines. The fix reverses that design by moving `sigma` to separate storage and verifying the copied seed, which is exactly the fault-hardening missing here. Although later rename work changed some identifiers, this commit wrote the vulnerable ML-KEM implementation file, so under the reimplementation rule it is a true BIC.
▶AI Signals(1)
| Devin | Author name | Devin AI | 95% |