CVE-2026-24850

MEDIUM

ml-dsa 0.0.4-0.1.0-rc.3 - Improper Verification of Cryptographic Signature via Duplicate Hint Indices

Title source: llm
STIX 2.1

Description

The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue.

References (11)

Core 11
Core References
Issue Tracking x_refsource_misc
https://github.com/RustCrypto/signatures/issues/894
Issue Tracking x_refsource_misc
https://github.com/RustCrypto/signatures/pull/895
Various Sources x_refsource_misc
https://csrc.nist.gov/pubs/fips/204/final
Various Sources x_refsource_misc
https://datatracker.ietf.org/doc/html/rfc9881
Various Sources x_refsource_misc
https://github.com/C2SP/wycheproof

Scores

CVSS v3 5.3
EPSS 0.0030
EPSS Percentile 21.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-347
Status published
Products (2)
crates.io/ml-dsa 0.0.4 - 0.1.0-rc.4crates.io
RustCrypto/signatures >= 0.0.4, < 0.1.0-rc.4
Published Jan 28, 2026
Tracked Since Feb 18, 2026