CVE-2026-22705
Timing Side-Channel in RustCrypto Signatures ML-DSA Component
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustcrypto | signatures | to 0.1.0-rc.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1240 | To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a timing side-channel issue in the ML-DSA signature scheme implementation within the RustCrypto signatures library. It arises from the use of hardware integer division instructions (UDIV/SDIV) in the Decompose algorithm during signature generation. These division instructions have variable execution times depending on the operand values, which are derived from secret key components. Because the timing varies with secret data, an attacker who can measure the time precisely could potentially recover secret signing key information. The vulnerability was fixed by replacing the variable-time hardware division with a constant-time division method based on Barrett reduction, which eliminates timing variability and prevents leakage of secret information. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with the ability to perform precise timing measurements on the signature generation process to extract secret signing key information. This compromises the confidentiality and integrity of the cryptographic keys used for digital signatures, potentially enabling forgery or impersonation attacks. The vulnerability has a moderate severity score (CVSS 6.4) and requires an adjacent network attacker with low privileges but high attack complexity. There is no impact on availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the cryptographic implementation for timing side-channels, specifically looking for variable-time hardware division instructions (UDIV/SDIV) used on secret-dependent data during the ML-DSA signature generation process. Detection was performed using a constant-time analyzer that inspects compiled assembly code for data-dependent timing behavior. While no specific network or system commands are provided, using constant-time analysis tools on the RustCrypto signatures library binaries or source code to identify variable-time division operations in the decompose function would be the approach. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the RustCrypto signatures library to version 0.1.0-rc.2 or later, where the timing side-channel in the ML-DSA implementation has been patched. The patch replaces variable-time hardware division with a constant-time division method based on Barrett reduction, eliminating timing variability. If updating is not immediately possible, avoid using vulnerable versions for signing operations and consider applying the constant-time division fix manually if feasible. [1, 2, 3]