Search criteria
2 vulnerabilities found for signatures by RustCrypto
CVE-2026-24850 (GCVE-0-2026-24850)
Vulnerability from cvelistv5 – Published: 2026-01-28 00:24 – Updated: 2026-01-28 14:54
VLAI?
Title
ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices
Summary
The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue.
Severity ?
5.3 (Medium)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | signatures |
Affected:
>= 0.0.4, < 0.1.0-rc.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24850",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:53:25.394412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:54:22.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "signatures",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.4, \u003c 0.1.0-rc.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`\u003c=` instead of `\u003c`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `\u003c` comparison to `\u003c=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T00:24:53.146Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9"
},
{
"name": "https://github.com/RustCrypto/signatures/issues/894",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/signatures/issues/894"
},
{
"name": "https://github.com/RustCrypto/signatures/pull/895",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/signatures/pull/895"
},
{
"name": "https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a"
},
{
"name": "https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38"
},
{
"name": "https://csrc.nist.gov/pubs/fips/204/final",
"tags": [
"x_refsource_MISC"
],
"url": "https://csrc.nist.gov/pubs/fips/204/final"
},
{
"name": "https://datatracker.ietf.org/doc/html/rfc9881",
"tags": [
"x_refsource_MISC"
],
"url": "https://datatracker.ietf.org/doc/html/rfc9881"
},
{
"name": "https://github.com/C2SP/wycheproof",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/C2SP/wycheproof"
},
{
"name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json"
},
{
"name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json"
},
{
"name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json"
}
],
"source": {
"advisory": "GHSA-5x2r-hc65-25f9",
"discovery": "UNKNOWN"
},
"title": "ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24850",
"datePublished": "2026-01-28T00:24:53.146Z",
"dateReserved": "2026-01-27T14:51:03.060Z",
"dateUpdated": "2026-01-28T14:54:22.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22705 (GCVE-0-2026-22705)
Vulnerability from cvelistv5 – Published: 2026-01-10 06:14 – Updated: 2026-01-12 16:43
VLAI?
Title
RustCrypto: Signatures has timing side-channel in ML-DSA decomposition
Summary
RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This issue has been patched in version 0.1.0-rc.2.
Severity ?
6.4 (Medium)
CWE
- CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RustCrypto | signatures |
Affected:
< 0.1.0-rc.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T16:42:51.482698Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T16:43:06.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "signatures",
"vendor": "RustCrypto",
"versions": [
{
"status": "affected",
"version": "\u003c 0.1.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This issue has been patched in version 0.1.0-rc.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1240",
"description": "CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T06:14:20.292Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-hcp2-x6j4-29j7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-hcp2-x6j4-29j7"
},
{
"name": "https://github.com/RustCrypto/signatures/pull/1144",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/signatures/pull/1144"
},
{
"name": "https://github.com/RustCrypto/signatures/commit/035d9eef98486ecd00a8bf418c7817eb14dd6558",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RustCrypto/signatures/commit/035d9eef98486ecd00a8bf418c7817eb14dd6558"
}
],
"source": {
"advisory": "GHSA-hcp2-x6j4-29j7",
"discovery": "UNKNOWN"
},
"title": "RustCrypto: Signatures has timing side-channel in ML-DSA decomposition"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22705",
"datePublished": "2026-01-10T06:14:20.292Z",
"dateReserved": "2026-01-08T19:23:09.857Z",
"dateUpdated": "2026-01-12T16:43:06.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}