This paper describes a vulnerability in several
implementations of the Secure Hash Algorithm 3 (SHA-3) that have
been released by its designers. The vulnerability has been present
since the final-round update of Keccak was submitted to the
National Institute of Standards and Technology (NIST) SHA-3 hash
function competition in January 2011, and is present in the
eXtended Keccak Code Package (XKCP) of the Keccak team. It affects
all software projects that have integrated this code, such as the
scripting languages Python and PHP Hypertext Preprocessor (PHP).
The vulnerability is a buffer overflow that allows
attacker-controlled values to be eXclusive-ORed (XORed) into memory
(without any restrictions on values to be XORed and even far beyond
the location of the original buffer), thereby making many standard
protection measures against buffer overflows (e.g., canary values)
completely ineffective.
Read more https://packetstormsecurity.com/files/171253/2023-331.pdf