CVE-2026-22705
MEDIUMRustCrypto: Signatures <0.1.0-rc.2 - Timing Side-channel
Title source: llmDescription
RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This issue has been patched in version 0.1.0-rc.2.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/RustCrypto/signatures/security/advisories/GHSA-hcp2-x6j4-29j7
Issue Tracking x_refsource_misc
https://github.com/RustCrypto/signatures/pull/1144
Scores
CVSS v3
6.4
EPSS
0.0017
EPSS Percentile
6.9%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1240
Status
published
Products (2)
crates.io/ml-dsa
0 - 0.1.0-rc.2crates.io
RustCrypto/signatures
< 0.1.0-rc.2
Published
Jan 10, 2026
Tracked Since
Feb 18, 2026