rustsec-2026-0076
Vulnerability from osv_rustsec
Published
2026-03-04 12:00
Modified
2026-03-27 05:55
Summary
Panic in Signature Hint Decoding During Verification
Details
During ML-DSA verification the serialized hint values are decoded as
specified in algorithm 22 HintBitUnpack of FIPS 204, subsection
7.1. The
algorithm requires that the cumulative hint counters per row of the
hint vector are strictly increasing and below a maximum value which
depends on the choice of ML-DSA parameter set (line 4).
In libcrux-ml-dsa, hint decoding did not check the boundedness of the cumulative hint counter of the last row of the hint vector.
Impact
A manipulated invalid hint can cause an out-of-bounds memory access since the hint decoding logic may attempt to read outside the bounds of the serialized signature, causing a runtime panic.
Mitigation
Starting from version 0.0.8, hint decoding will check the cumulative
hint counter of the last row as well.
Severity
References
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"libcrux_ml_dsa::ml_dsa_44::verify",
"libcrux_ml_dsa::ml_dsa_65::verify",
"libcrux_ml_dsa::ml_dsa_87::verify"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "libcrux-ml-dsa",
"purl": "pkg:cargo/libcrux-ml-dsa"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.0.8"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-xrf2-5r3p-5wgj"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "During ML-DSA verification the serialized hint values are decoded as\nspecified in algorithm 22 `HintBitUnpack` of [FIPS 204, subsection\n7.1](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#%5B%7B%22num%22%3A120%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22FitH%22%7D%2C657%5D). The\nalgorithm requires that the cumulative hint counters per row of the\nhint vector are strictly increasing and below a maximum value which\ndepends on the choice of ML-DSA parameter set (line 4).\n\nIn libcrux-ml-dsa, hint decoding did not check the boundedness of the\ncumulative hint counter of the last row of the hint vector.\n\n## Impact\nA manipulated invalid hint can cause an out-of-bounds memory access\nsince the hint decoding logic may attempt to read outside the bounds\nof the serialized signature, causing a runtime panic.\n\n## Mitigation\nStarting from version `0.0.8`, hint decoding will check the cumulative\nhint counter of the last row as well.",
"id": "RUSTSEC-2026-0076",
"modified": "2026-03-27T05:55:06Z",
"published": "2026-03-04T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/libcrux-ml-dsa"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0076.html"
},
{
"type": "WEB",
"url": "https://github.com/cryspen/libcrux/pull/1348"
}
],
"related": [],
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Panic in Signature Hint Decoding During Verification"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…