CVE-2026-24850
Signature Verification Bypass in RustCrypto ml-dsa Crate
Publication date: 2026-01-28
Last updated on: 2026-01-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | ml-dsa | From 0.0.4 (inc) to 0.1.0-rc.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is in the ML-DSA Rust crate's signature verification implementation. It incorrectly accepts signatures that have repeated (duplicate) hint indices within each polynomial, which violates the ML-DSA specification requiring strictly increasing hint indices. This happened because a code change replaced a strict less-than comparison (<) with a less-than-or-equal-to (<=) comparison, allowing duplicates. This is a regression bug fixed in version 0.1.0-rc.4.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing invalid signatures with duplicate hint indices to be accepted as valid. This could undermine the integrity of digital signatures verified using the affected ML-DSA crate, potentially allowing attackers to forge or manipulate signatures without detection.
What immediate steps should I take to mitigate this vulnerability?
Update the ML-DSA crate to version 0.1.0-rc.4 or later, as this version fixes the issue with signature verification accepting duplicate hint indices. Avoid using versions from 0.0.4 up to but not including 0.1.0-rc.4.