External risk intelligence

Noir could allow an internal attacker to corrupt program memory and cause crashes.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-41197

Noir contains a memory flaw that could allow an internal attacker to corrupt system memory during program compilation. This could enable unauthorized changes to sensitive proof data or the bypass of critical program logic, threatening the integrity of business applications.

1Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-41197

The vulnerability occurs within a compiler tool used to build cryptographic proving circuits. It is triggered during the compilation process, which is a build-time or local development activity. Compilers are developer-centric tools typically run in isolated development environments or internal build pipelines, not public-facing network services.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Noir compiler can lead to heap corruption when compiling specific types of nested array structures. This means that programs compiled with the affected versions of Noir might not behave as expected, potentially causing application instability or unexpected outcomes. Teams should pay attention because the corruption occurs during the compilation phase, potentially impacting the integrity of generated code.

  • Corrupts memory when compiling arrays.
  • Can affect programs using complex data types.
  • Impacts code generation integrity.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by crafting malicious Noir code that, when compiled, causes the Noir compiler to allocate insufficient memory for nested array results. This leads to heap corruption within the Brillig VM, potentially allowing an attacker to control program execution or leak sensitive data during the execution of compiled Noir programs. This requires the attacker to control the Noir source code being compiled.

  • Attacker controls source code.
  • Compilation process is vulnerable.
  • Heap corruption on VM execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability, residing in a compiler for cryptographic proving systems, is unlikely to be directly weaponized by attackers in the wild. Exploitation requires deep understanding of the compiler's internal workings and execution within a development or build environment, rather than through a public-facing attack vector.

  • Primarily affects build process.
  • No observed exploitation activity.
  • Fix is available in a specific beta release.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Noir to version 1.0.0-beta.19 to address heap corruption in the Brillig VM during compilation of nested arrays. If patching is not immediately feasible, implement strict input validation for foreign calls returning complex array types and enhance monitoring for unusual memory allocation patterns or VM crashes.

  • Patch Noir to v1.0.0-beta.19.
  • Monitor for heap corruption and VM crashes.
  • Validate foreign call array return types.

Frequently asked questions

What is Noir and what is it used for in the context of cybersecurity?

Noir is a domain-specific language (DSL) designed for SNARK proving systems, which are used in zero-knowledge proofs. It allows developers to create complex zero-knowledge programs with a user-friendly syntax, simplifying the process of building secure and private applications. It's used for tasks requiring verifiable computation without revealing underlying data, such as in privacy-focused blockchain applications.

What kind of vulnerability does CVE-2026-41197 describe?

CVE-2026-41197 is related to an incorrect calculation of buffer size (CWE-131). In the Noir compiler, when processing foreign function calls that return nested arrays with composite types (like tuples), the compiler incorrectly calculates the necessary memory allocation, leading to heap corruption.

How can an attacker trigger the vulnerability in CVE-2026-41197?

An attacker can trigger this vulnerability by crafting malicious Noir code. When this code is compiled, the Noir compiler incorrectly allocates memory for nested array results, causing heap corruption in the Brillig VM. This issue specifically arises when dealing with foreign calls that return nested arrays of composite types.

Who is most likely to be affected by this Noir compiler vulnerability?

Developers and systems that compile or execute Noir programs are affected. The vulnerability impacts the integrity of the compiled code and can lead to memory corruption within the Brillig VM. While the vulnerability is critical, its exploitation requires control over the Noir source code being compiled, making it less likely for external, unauthenticated attackers to exploit without prior access.

What is the immediate first step for users running affected Noir versions?

The recommended first step is to update the Noir compiler to version 1.0.0-beta.19 or later. This update addresses the heap corruption issue by correcting the memory allocation logic for nested arrays during compilation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified