CVE-2026-41509
CRITICALInteger underflow in crypto_sign_open() leads to buffer overflow
Title source: cnaDescription
CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer overflow in crypto_sign_open() caused by an underflow of the integer mlen. This issue has been patched via commit fc6b7e7.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/CROSS-signature/CROSS-implementation/security/advisories/GHSA-w72c-hgx8-p7cv
X_Refsource_Misc x_refsource_misc
https://github.com/CROSS-signature/CROSS-implementation/commit/fc6b7e78cdf789bb5c395a81dc601356f1383da0
Scores
CVSS v3
9.8
EPSS
0.0034
EPSS Percentile
25.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-121
CWE-122
Status
published
Products (2)
cross-crypto/cross-implementation
< 2026-03-23
CROSS-signature/CROSS-implementation
< fc6b7e78cdf789bb5c395a81dc601356f1383da0
Published
May 08, 2026
Tracked Since
May 08, 2026