CVE-2026-24850
- Source
- https://cve.org/CVERecord?id=CVE-2026-24850
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24850.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-24850
- Aliases
- Published
- 2026-01-28T00:24:53.146Z
- Modified
- 2026-03-14T12:47:22.301129Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices
- Details
-
The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto
ml-dsacrate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be strictly increasing. The current implementation uses a non-strict monotonic check (<=instead of<), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict<comparison to<=, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue. - Database specific
{ "cwe_ids": [ "CWE-347" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24850.json" }- References
-
- https://csrc.nist.gov/pubs/fips/204/final
- https://datatracker.ietf.org/doc/html/rfc9881
- https://github.com/C2SP/wycheproof
- https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json
- https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json
- https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24850.json
- https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a
- https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38
- https://github.com/RustCrypto/signatures/issues/894
- https://github.com/RustCrypto/signatures/pull/895
- https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9
- https://nvd.nist.gov/vuln/detail/CVE-2026-24850
Affected packages
Git / github.com/rustcrypto/signatures
Affected ranges
- Type
- GIT
- Repo
- https://github.com/rustcrypto/signatures
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/rustcrypto/signatures
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
dsa-v0.*
dsa-v0.7.0-rc.10
dsa/v0.*
dsa/v0.2.0
dsa/v0.3.0
dsa/v0.4.0
dsa/v0.4.1
dsa/v0.4.2
dsa/v0.5.0
dsa/v0.5.0-pre.1
dsa/v0.5.0-rc.0
dsa/v0.5.0-rc.1
dsa/v0.6.0
dsa/v0.6.1
dsa/v0.6.2
dsa/v0.7.0-pre.0
dsa/v0.7.0-pre.1
dsa/v0.7.0-rc.0
dsa/v0.7.0-rc.1
dsa/v0.7.0-rc.11
dsa/v0.7.0-rc.2
dsa/v0.7.0-rc.3
dsa/v0.7.0-rc.4
dsa/v0.7.0-rc.5
dsa/v0.7.0-rc.6
dsa/v0.7.0-rc.7
dsa/v0.7.0-rc.8
dsa/v0.7.0-rc.9
ecdsa/0.*
ecdsa/0.11.0-pre.5
ecdsa/0.16.2
ecdsa/v0.*
ecdsa/v0.1.0
ecdsa/v0.10.0
ecdsa/v0.10.0-pre
ecdsa/v0.10.1
ecdsa/v0.10.2
ecdsa/v0.11.0
ecdsa/v0.11.0-pre.1
ecdsa/v0.11.0-pre.2
ecdsa/v0.11.0-pre.3
ecdsa/v0.11.0-pre.4
ecdsa/v0.11.0-pre.6
ecdsa/v0.11.1
ecdsa/v0.12.0
ecdsa/v0.12.1
ecdsa/v0.12.2
ecdsa/v0.12.3
ecdsa/v0.12.4
ecdsa/v0.13.0
ecdsa/v0.13.2
ecdsa/v0.13.3
ecdsa/v0.13.4
ecdsa/v0.14.0
ecdsa/v0.14.0-pre.1
ecdsa/v0.14.0-pre.2
ecdsa/v0.14.0-pre.3
ecdsa/v0.14.0-pre.5
ecdsa/v0.14.1
ecdsa/v0.14.2
ecdsa/v0.14.3
ecdsa/v0.14.4
ecdsa/v0.14.5
ecdsa/v0.14.6
ecdsa/v0.14.7
ecdsa/v0.14.8
ecdsa/v0.15.0
ecdsa/v0.15.0-pre.0
ecdsa/v0.15.0-pre.1
ecdsa/v0.15.0-rc.1
ecdsa/v0.16.0
ecdsa/v0.16.0-pre.0
ecdsa/v0.16.0-pre.1
ecdsa/v0.16.0-rc.0
ecdsa/v0.16.1
ecdsa/v0.16.3
ecdsa/v0.16.4
ecdsa/v0.16.5
ecdsa/v0.16.6
ecdsa/v0.16.7
ecdsa/v0.16.8
ecdsa/v0.16.9
ecdsa/v0.17.0-pre.0
ecdsa/v0.17.0-pre.1
ecdsa/v0.17.0-pre.2
ecdsa/v0.17.0-pre.3
ecdsa/v0.17.0-pre.4
ecdsa/v0.17.0-pre.5
ecdsa/v0.17.0-pre.6
ecdsa/v0.17.0-pre.7
ecdsa/v0.17.0-pre.8
ecdsa/v0.17.0-pre.9
ecdsa/v0.17.0-rc.0
ecdsa/v0.17.0-rc.1
ecdsa/v0.17.0-rc.10
ecdsa/v0.17.0-rc.11
ecdsa/v0.17.0-rc.12
ecdsa/v0.17.0-rc.13
ecdsa/v0.17.0-rc.14
ecdsa/v0.17.0-rc.2
ecdsa/v0.17.0-rc.3
ecdsa/v0.17.0-rc.4
ecdsa/v0.17.0-rc.5
ecdsa/v0.17.0-rc.6
ecdsa/v0.17.0-rc.7
ecdsa/v0.17.0-rc.8
ecdsa/v0.17.0-rc.9
ecdsa/v0.2.0
ecdsa/v0.2.1
ecdsa/v0.3.0
ecdsa/v0.4.0
ecdsa/v0.5.0
ecdsa/v0.5.0-pre
ecdsa/v0.6.0
ecdsa/v0.6.1
ecdsa/v0.7.0
ecdsa/v0.7.1
ecdsa/v0.7.2
ecdsa/v0.8.0
ecdsa/v0.8.1
ecdsa/v0.8.2
ecdsa/v0.8.3
ecdsa/v0.8.4
ecdsa/v0.8.5
ecdsa/v0.9.0
ed25519/2.*
ed25519/2.0.0-pre.0
ed25519/v0.*
ed25519/v0.1.0
ed25519/v0.2.0
ed25519/v1.*
ed25519/v1.0.0
ed25519/v1.0.0-pre.0
ed25519/v1.0.0-pre.1
ed25519/v1.0.0-pre.2
ed25519/v1.0.0-pre.3
ed25519/v1.0.0-pre.4
ed25519/v1.0.1
ed25519/v1.0.2
ed25519/v1.0.3
ed25519/v1.1.0
ed25519/v1.1.1
ed25519/v1.2.0
ed25519/v1.3.0
ed25519/v1.4.0
ed25519/v1.4.1
ed25519/v1.5.0
ed25519/v1.5.1
ed25519/v1.5.2
ed25519/v2.*
ed25519/v2.0.0
ed25519/v2.0.0-pre.1
ed25519/v2.0.0-pre.2
ed25519/v2.0.0-rc.0
ed25519/v2.0.1
ed25519/v2.1.0
ed25519/v2.2.0
ed25519/v2.2.1
ed25519/v2.2.2
ed25519/v2.2.3
ed25519/v2.3.0-pre.0
ed25519/v3.*
ed25519/v3.0.0-pre.0
ed25519/v3.0.0-rc.0
ed25519/v3.0.0-rc.1
ed25519/v3.0.0-rc.2
ed448/0.*
ed448/0.5.0-rc.0
ed448/v0.*
ed448/v0.5.0-rc.1
ed448/v0.5.0-rc.2
lms-signature/v0.*
lms-signature/v0.0.1
lms-signature/v0.1.0-rc.0
ml-dsa/v0.*
ml-dsa/v0.0.4
ml-dsa/v0.1.0-pre.0
ml-dsa/v0.1.0-pre.1
ml-dsa/v0.1.0-pre.2
ml-dsa/v0.1.0-rc.0
ml-dsa/v0.1.0-rc.1
ml-dsa/v0.1.0-rc.2
ml-dsa/v0.1.0-rc.3
rfc6979/v0.*
rfc6979/v0.1.0
rfc6979/v0.2.0
rfc6979/v0.2.0-pre.0
rfc6979/v0.3.0
rfc6979/v0.3.1
rfc6979/v0.4.0
rfc6979/v0.4.0-pre.0
rfc6979/v0.5.0-pre.0
rfc6979/v0.5.0-pre.1
rfc6979/v0.5.0-pre.2
rfc6979/v0.5.0-pre.3
rfc6979/v0.5.0-rc.0
rfc6979/v0.5.0-rc.1
rfc6979/v0.5.0-rc.2
rfc6979/v0.5.0-rc.3
slh-dsa/v0.*
slh-dsa/v0.0.2
slh-dsa/v0.0.3
slh-dsa/v0.1.0
slh-dsa/v0.2.0-rc.0
slh-dsa/v0.2.0-rc.1
slh-dsa/v0.2.0-rc.2