{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24850", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T14:51:03.060Z", "datePublished": "2026-01-28T00:24:53.146Z", "dateUpdated": "2026-01-28T14:54:22.827Z"}, "containers": {"cna": {"title": "ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9"}, {"name": "https://github.com/RustCrypto/signatures/issues/894", "tags": ["x_refsource_MISC"], "url": "https://github.com/RustCrypto/signatures/issues/894"}, {"name": "https://github.com/RustCrypto/signatures/pull/895", "tags": ["x_refsource_MISC"], "url": "https://github.com/RustCrypto/signatures/pull/895"}, {"name": "https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a", "tags": ["x_refsource_MISC"], "url": "https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a"}, {"name": "https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38", "tags": ["x_refsource_MISC"], "url": "https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38"}, {"name": "https://csrc.nist.gov/pubs/fips/204/final", "tags": ["x_refsource_MISC"], "url": "https://csrc.nist.gov/pubs/fips/204/final"}, {"name": "https://datatracker.ietf.org/doc/html/rfc9881", "tags": ["x_refsource_MISC"], "url": "https://datatracker.ietf.org/doc/html/rfc9881"}, {"name": "https://github.com/C2SP/wycheproof", "tags": ["x_refsource_MISC"], "url": "https://github.com/C2SP/wycheproof"}, {"name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json", "tags": ["x_refsource_MISC"], "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json"}, {"name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json", "tags": ["x_refsource_MISC"], "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json"}, {"name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json", "tags": ["x_refsource_MISC"], "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json"}], "affected": [{"vendor": "RustCrypto", "product": "signatures", "versions": [{"version": ">= 0.0.4, < 0.1.0-rc.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T00:24:53.146Z"}, "descriptions": [{"lang": "en", "value": "The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue."}], "source": {"advisory": "GHSA-5x2r-hc65-25f9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:53:25.394412Z", "id": "CVE-2026-24850", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:54:22.827Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24850", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T14:53:25.394412Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:54:14.295Z"}}], "cna": {"title": "ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices", "source": {"advisory": "GHSA-5x2r-hc65-25f9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "RustCrypto", "product": "signatures", "versions": [{"status": "affected", "version": ">= 0.0.4, < 0.1.0-rc.4"}]}], "references": [{"url": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9", "name": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/RustCrypto/signatures/issues/894", "name": "https://github.com/RustCrypto/signatures/issues/894", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/RustCrypto/signatures/pull/895", "name": "https://github.com/RustCrypto/signatures/pull/895", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a", "name": "https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38", "name": "https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38", "tags": ["x_refsource_MISC"]}, {"url": "https://csrc.nist.gov/pubs/fips/204/final", "name": "https://csrc.nist.gov/pubs/fips/204/final", "tags": ["x_refsource_MISC"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc9881", "name": "https://datatracker.ietf.org/doc/html/rfc9881", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/C2SP/wycheproof", "name": "https://github.com/C2SP/wycheproof", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json", "name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json", "name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json", "name": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T00:24:53.146Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24850", "state": "PUBLISHED", "dateUpdated": "2026-01-28T14:54:22.827Z", "dateReserved": "2026-01-27T14:51:03.060Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-28T00:24:53.146Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue."}, {"lang": "es", "value": "El *crate* ML-DSA es una implementaci\u00f3n en Rust del Est\u00e1ndar de Firma Digital Basado en M\u00f3dulos de Ret\u00edculos (ML-DSA). A partir de la versi\u00f3n 0.0.4 y antes de la versi\u00f3n 0.1.0-rc.4, la implementaci\u00f3n de verificaci\u00f3n de firma ML-DSA en el *crate* 'ml-dsa' de RustCrypto acepta incorrectamente firmas con \u00edndices de pista repetidos (duplicados). Seg\u00fan la especificaci\u00f3n ML-DSA (FIPS 204 / RFC 9881), los \u00edndices de pista dentro de cada polinomio deben ser estrictamente crecientes. La implementaci\u00f3n actual utiliza una comprobaci\u00f3n mon\u00f3tona no estricta ('&lt;=' en lugar de '&lt;'), permitiendo \u00edndices duplicados. Esto es un error de regresi\u00f3n. La implementaci\u00f3n original era correcta, pero un *commit* en la versi\u00f3n 0.0.4 cambi\u00f3 inadvertidamente la comparaci\u00f3n estricta '&lt;' a '&lt;=', introduciendo la vulnerabilidad. La versi\u00f3n 0.1.0-rc.4 corrige el problema."}], "id": "CVE-2026-24850", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-28T01:16:15.097", "references": [{"source": "security-advisories@github.com", "url": "https://csrc.nist.gov/pubs/fips/204/final"}, {"source": "security-advisories@github.com", "url": "https://datatracker.ietf.org/doc/html/rfc9881"}, {"source": "security-advisories@github.com", "url": "https://github.com/C2SP/wycheproof"}, {"source": "security-advisories@github.com", "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json"}, {"source": "security-advisories@github.com", "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json"}, {"source": "security-advisories@github.com", "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json"}, {"source": "security-advisories@github.com", "url": "https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a"}, {"source": "security-advisories@github.com", "url": "https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38"}, {"source": "security-advisories@github.com", "url": "https://github.com/RustCrypto/signatures/issues/894"}, {"source": "security-advisories@github.com", "url": "https://github.com/RustCrypto/signatures/pull/895"}, {"source": "security-advisories@github.com", "url": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:48:36.973934+00:00", "value": {"mitigation_remediation": ["Update the RustCrypto signatures ml\u2011dsa crate to version 0.1.0\u2011rc.4 or later and rebuild your application.", "Redeploy the updated application so that the fixed verification logic is active.", "Verify that signature verification passes the wycheproof ml\u2011dsa test vectors to ensure compliance.", "If the update cannot be applied immediately, consider temporarily blocking signatures with non\u2011increasing hint indices in your application logic or switching to a different signature scheme until the patch is applied."], "summary": {"action": "Apply Patch", "impact": "Forged signature acceptance"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the RustCrypto signatures library, specifically the ml\u2011dsa crate, from version 0.0.4 up to and including 0.1.0-rc.3. Any application that uses these crate versions for ML\u2011DSA signature verification is affected. The issue was fixed starting with version 0.1.0-rc.4.", "description_and_impact": "The ML-DSA crate in the RustCrypto signatures library implements the Module\u2011Lattice\u2011Based Digital Signature Standard. A regression in version 0.0.4 changed a strict increasing hint\u2011index check to a non\u2011strict one, allowing signatures that contain duplicate hint indices. The specification requires strictly increasing indices; by accepting duplicates the verification process incorrectly accepts malformed signatures, potentially enabling an attacker to forge a valid signature and bypass authenticity checks. This flaw is a correctness failure (CWE\u2011347).", "risk_and_exploitability": "The CVSS base score is 5.3, indicating medium severity, while the EPSS score is less than 1\u202f%, showing a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited real\u2011world exploitation. An attacker would need to supply a forged signature containing duplicate hint indices to a system that accepts external signatures, which is an unprivileged attack scenario. The impact is limited to the integrity of signed data but could be critical in contexts where authentic signatures are required."}}}}, "created": "2026-01-28T12:21:39.420022+00:00", "updated": "2026-04-18T02:00:10.459843+00:00", "vendors": ["rustcrypto", "rustcrypto$PRODUCT$ml-dsa"]}