RUSTSEC-2026-0126

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0126
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0126.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0126
Published
2026-04-27T12:00:00Z
Modified
2026-05-13T10:15:29.201476Z
Summary
AVX2 Implementation Did Not Fully Reduce Intermediate Values
Details

The AVX2 implementation of ML-DSA did not fully reduce intermediate inputs to the inverse NTT, which leads to a testable difference in panic behaviour of internal functions compared to the portable implementation.

Impact

We are not aware of inputs to the public key generation, signing or verification APIs that trigger a panic in the AVX2 implementation because the intermediate values were not fully reduced.

Mitigation

From version 0.0.9 intermediate values on AVX2 platforms are fully reduced in alignment with the portable implementation.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / libcrux-ml-dsa

Package

Name
libcrux-ml-dsa
View open source insights on deps.dev
Purl
pkg:cargo/libcrux-ml-dsa

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.0.9

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "arch": [
            "x86_64"
        ],
        "functions": [],
        "os": []
    }
}

Database specific

categories 
[]
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0126.json"
informational 
"notice"
cvss 
null