Quantum Simulators Reveal 547 Security Flaws across Leading Frameworks

Dominik Blain and colleagues at Oak Ridge National Laboratory have identified key security weaknesses in the software supporting quantum computing development. A thorough formal audit of 45 open-source quantum computing simulators revealed 547 security findings across four vulnerability classes. The audit details critical and high-severity flaws, including a new quantum-specific attack vector, QASM injection, and establishes a 32-qubit boundary consistently linked to vulnerability chains. The study also highlights a concerning instance of vulnerability transfer between a commercial framework and national laboratory infrastructure, underlining the vital need for strong security practices as the field advances. Quantum simulator security varies widely and scales with qubit count Nine of the 45 audited quantum computing simulators achieved a perfect security score of 100/100, while frameworks such as Qiskit Aer and Cirq registered zero, revealing substantial disparities in security implementation. This wide range indicates a lack of consistent security standards and practices within the open-source quantum computing community. The variation likely stems from differing development priorities, resource constraints, and varying levels of security expertise among contributing developers. A consistent formal threshold of 32 qubits was identified, beyond which vulnerability chains demonstrably increase in both C++ and Python codebases. This suggests that as the simulated quantum system size grows, the complexity of the underlying classical software increases, creating more opportunities for vulnerabilities to emerge. Simulating circuits exceeding this size carried unquantified risk prior to this audit. The analysis uncovered the first documented instance of a security vulnerability transferring from a commercial quantum framework, IBM’s Qiskit Aer, into US national laboratory infrastructure at Oak Ridge National Laboratory, specifically impacting the XACC simulator. This transfer occurred through the inclusion of potentially vulnerable code from Qiskit Aer within XACC’s functionality, demonstrating the interconnectedness of the quantum software ecosystem and the potential for vulnerabilities to propagate across different platforms. A total of 547 security findings were identified across 45 quantum computing simulators from 22 organisations, categorised into four vulnerability classes including a novel quantum-specific attack vector, QASM injection. Detailed analysis revealed 40 critical, 492 high, and 15 medium severity issues. The categorisation allows for prioritisation of remediation efforts, focusing on the most severe vulnerabilities first. Ten direct calls to Python’s potentially dangerous pickle.load() function were found within a single file of the Harvard-developed tequila framework, creating a remote code execution risk. The pickle module allows for serialisation and deserialisation of Python objects, but it is known to be vulnerable to arbitrary code execution if untrusted data is deserialised. This represents a significant security risk, as an attacker could potentially inject malicious code into the system. Live proof-of-concept attacks successfully demonstrated resource exhaustion and code injection, confirming the 32-qubit boundary where vulnerabilities demonstrably increase. For instance, a simulation exceeding 32 qubits triggered out-of-bounds errors. These errors indicate that the software is unable to handle the increased complexity of larger quantum circuits, potentially leading to crashes or exploitable behaviour. Supply chain analysis confirmed this vulnerability transfer from IBM’s Qiskit Aer into US national laboratory infrastructure via XACC, demonstrating the potential for widespread impact. This highlights the importance of secure software supply chain management in the quantum computing field. Static analysis of quantum computing frameworks using COBALT QAI and Z3 COBALT QAI functioned as the primary engine driving this analysis, a sophisticated automated tool for finding weaknesses in software, operating much like a team of expert code reviewers working tirelessly across a vast codebase. The tool employs static analysis, examining code without running it, identifying potential vulnerabilities by dissecting its structure and logic. Static analysis offers several advantages, including the ability to identify vulnerabilities early in the development lifecycle and the ability to analyse large codebases efficiently. Backing COBALT QAI is the Z3 SMT solver, a mathematical engine that rigorously checks if software could be exploited, similar to a detective solving a logic puzzle to find a loophole. It formally verifies whether identified weaknesses are genuinely exploitable. Z3 operates by translating the code into logical constraints and then using its solving algorithms to determine if those constraints can be satisfied in a way that leads to a vulnerability. This formal verification process provides a higher level of confidence in the identified vulnerabilities. Quantum software vulnerabilities expose risks across the supply chain The relentless pursuit of more powerful quantum computers demands ever-complex software, yet this audit reveals a surprising fragility in the foundations upon which that software rests. Classical code simulating and controlling these systems has remained largely unscrutinised, creating a potential backdoor for malicious actors, despite rightful attention focusing on qubit coherence and gate fidelity. While significant effort has been devoted to improving the physical properties of qubits and the accuracy of quantum gates, the security of the classical software stack has received comparatively little attention. This represents a significant oversight, as vulnerabilities in the classical software could compromise the entire quantum system. This analysis highlights a critical gap, though the techniques employed examined code without actual execution. It is important to note that static analysis, while valuable, cannot guarantee the absence of vulnerabilities. Dynamic analysis, which involves running the code and observing its behaviour, is necessary to confirm exploitability. Despite its limitations, identifying these vulnerabilities through static analysis offers important insight. While a dynamic audit, testing code in operation, would confirm exploitability, this initial sweep establishes a baseline of risk across the quantum software supply chain. The discovery of potential weaknesses, including the transfer of flaws into US national laboratory systems, justifies immediate attention and remediation efforts from developers and users. Addressing these vulnerabilities will require a collaborative effort involving the entire quantum computing community. The findings underscore the need for incorporating security best practices into the software development lifecycle, including regular code reviews, vulnerability scanning, and penetration testing. This thorough audit establishes a clear baseline regarding the classical security of quantum computing simulators, revealing systemic vulnerabilities across the field. Identifying 547 security findings, categorised by severity and type, demonstrates that the software foundations of quantum research are susceptible to conventional attacks, including the novel quantum-specific threat termed QASM injection. QASM injection exploits vulnerabilities in the parsing and processing of Open Quantum Assembly Language (QASM), potentially allowing an attacker to manipulate the quantum circuit being simulated. This analysis moves beyond assessing algorithmic complexity and hardware fidelity, instead focusing on the often-overlooked classical components essential for designing and validating quantum systems, and highlights the potential for supply chain risks within this emerging technology. The implications extend beyond academic research, impacting commercial applications of quantum computing and the security of sensitive data processed on these systems. The research identified 547 security vulnerabilities within 45 open-source quantum computing simulators from 22 organisations. This is significant because it demonstrates that the classical software underpinning quantum research is susceptible to conventional hacking techniques, as well as a new quantum-specific attack called QASM injection. A consistent formal threshold of 32 qubits was found to be linked to vulnerability chains in both C++ and Python. The study also revealed a transfer of a vulnerability from a commercial framework into US national laboratory infrastructure, highlighting potential supply chain risks. 👉 More information 🗞 Broken Quantum: A Systematic Formal Verification Study of Security Vulnerabilities Across the Open-Source Quantum Computing Simulator Ecosystem 🧠 ArXiv: https://arxiv.org/abs/2604.06712