zkao, zkSecurity’s AI auditor, found a critical soundness bug in the openvm-pairing library of the OpenVM zkVM after nine and a half hours of scanning. The flaw, cataloged as CVE-2026-46669, allowed a malicious prover to forge any pairing equality and has already been fixed in OpenVM 1.6.0.