rustsec-2026-0077
Vulnerability from osv_rustsec
The ML-DSA verification algorithm as specified in FIPS 204, subsection 6.3 requires verifiers to check that the infinity norm of the deserialized signer response $z$ does not exceed $\gamma_1 - \beta$ (line 13 of Algorithm 8). The same check is required to be performed during signature generation.
libcrux-ml-dsa did not perform this check correctly during signature verification, accepting signatures with signer response norm above the allowed maximum value. The check is correctly performed during signing.
Impact
Applications using libcrux-ml-dsa for signature verification would have accepted signatures that would be rejected by a conforming implementation.
Mitigation
Starting from version 0.0.8, signature verification uses the correct
value for $\gamma_1$ in the signer response norm check.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"libcrux_ml_dsa::ml_dsa_44::verify",
"libcrux_ml_dsa::ml_dsa_65::verify",
"libcrux_ml_dsa::ml_dsa_87::verify"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "libcrux-ml-dsa",
"purl": "pkg:cargo/libcrux-ml-dsa"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.0.8"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-cp57-fq8g-qh6v"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "The ML-DSA verification algorithm as specified in [FIPS 204,\nsubsection\n6.3](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#subsection.6.3)\nrequires verifiers to check that the infinity norm of the deserialized\nsigner response $z$ does not exceed $\\gamma_1 - \\beta$ (line 13 of\nAlgorithm 8).\nThe same check is required to be performed during signature generation.\n\nlibcrux-ml-dsa did not perform this check correctly during signature\nverification, accepting signatures with signer response norm above the\nallowed maximum value. The check is correctly performed during\nsigning.\n\n## Impact\nApplications using libcrux-ml-dsa for signature verification would\nhave accepted signatures that would be rejected by a conforming\nimplementation.\n\n## Mitigation\nStarting from version `0.0.8`, signature verification uses the correct\nvalue for $\\gamma_1$ in the signer response norm check.",
"id": "RUSTSEC-2026-0077",
"modified": "2026-03-27T05:55:06Z",
"published": "2026-03-04T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/libcrux-ml-dsa"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0077.html"
},
{
"type": "WEB",
"url": "https://github.com/cryspen/libcrux/pull/1347"
}
],
"related": [],
"severity": [],
"summary": "Incorrect Check of Signer Response Norm During Verification"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.