CVE-2026-22705 Overview
A timing side-channel vulnerability has been discovered in the RustCrypto Signatures library, specifically within the Decompose algorithm used during ML-DSA (Module-Lattice Digital Signature Algorithm) signing operations. This cryptographic weakness allows attackers with adjacent network access to potentially extract sensitive key material by analyzing timing variations in the signature generation process.
The vulnerability affects versions of the RustCrypto Signatures library prior to 0.1.0-rc.2. The timing side-channel exists because the original implementation used hardware integer division instructions, which have variable execution times based on operand values. This timing variance can be exploited to generate hints about the cryptographic operations being performed, potentially leading to key recovery attacks.
Critical Impact
Adjacent network attackers with low privileges can exploit timing variations in the ML-DSA signing process to potentially compromise cryptographic key confidentiality and integrity without user interaction.
Affected Products
- RustCrypto Signatures library versions prior to 0.1.0-rc.2
- Applications implementing ML-DSA digital signatures using affected library versions
- Systems using RustCrypto for post-quantum cryptographic operations
Discovery Timeline
- 2026-01-10 - CVE-2026-22705 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22705
Vulnerability Analysis
The vulnerability resides in the Decompose algorithm implementation within the ML-DSA signing process. ML-DSA is a lattice-based digital signature scheme designed for post-quantum security. During signature generation, the algorithm must compute hint values that are included in the signature structure.
The core issue stems from the use of variable-time integer division operations. Modern CPUs implement hardware division instructions (such as UDIV on ARM or DIV on x86) with execution times that depend on the magnitude of the operands. When these instructions process values derived from secret key material, the timing variations create an observable side-channel.
An attacker positioned on the same network segment can measure these timing differences through techniques such as cache timing analysis, electromagnetic emanation monitoring, or network-based timing measurements. Over multiple signature observations, statistical analysis can reveal information about the private key components.
Root Cause
The root cause is classified under CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation. The original implementation relied on native hardware division operations for computing quotients in the Decompose algorithm. These hardware division instructions exhibit data-dependent timing behavior, violating the constant-time execution requirement essential for cryptographic implementations.
Specifically, the vulnerability manifests in two areas:
- The algebra module's decomposition calculations using standard division
- The NTT (Number Theoretic Transform) butterfly layer computations where runtime loop bounds could trigger division operations
Attack Vector
The attack requires adjacent network access with low privilege requirements. An attacker must be able to observe timing variations in the signature generation process, which typically requires:
- Network proximity to the target system performing ML-DSA signing
- Ability to trigger multiple signature operations
- High-precision timing measurement capabilities
- Statistical analysis tools to correlate timing data with potential key values
The attack does not require user interaction and can be conducted passively once the attacker has established network adjacency.
// Security patch implementing constant-time division via Barrett reduction
// Source: https://github.com/RustCrypto/signatures/commit/035d9eef98486ecd00a8bf418c7817eb14dd6558
fn decompose<TwoGamma2: Unsigned>(self) -> (Elem, Elem);
}
/// Constant-time division by a compile-time constant divisor.
///
/// This trait provides a constant-time alternative to the hardware division
/// instruction, which has variable timing based on operand values.
/// Uses Barrett reduction to compute `x / M` where M is a compile-time constant.
pub(crate) trait ConstantTimeDiv: Unsigned {
/// Bit shift for Barrett reduction, chosen to provide sufficient precision
const CT_DIV_SHIFT: usize;
/// Precomputed multiplier: ceil(2^SHIFT / M)
const CT_DIV_MULTIPLIER: u64;
/// Perform constant-time division of x by `Self::U32`
/// Requires: x < Q (the field modulus, ~2^23)
#[allow(clippy::inline_always)] // Required for constant-time guarantees in crypto code
#[inline(always)]
fn ct_div(x: u32) -> u32 {
// Barrett reduction: q = (x * MULTIPLIER) >> SHIFT
// This gives us floor(x / M) for x < 2^SHIFT / MULTIPLIER * M
let x64 = u64::from(x);
let quotient = (x64 * Self::CT_DIV_MULTIPLIER) >> Self::CT_DIV_SHIFT;
// SAFETY: quotient is guaranteed to fit in u32 because:
// - x < Q (~2^23), so quotient = x / M < x < 2^23 < 2^32
#[allow(clippy::cast_possible_truncation, clippy::as_conversions)]
let result = quotient as u32;
result
}
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-22705
Indicators of Compromise
- Unusual patterns of repeated signature requests from network-adjacent hosts
- Timing analysis tools or side-channel attack frameworks detected on network systems
- Statistical correlation attempts against cryptographic operation logs
- Network traffic patterns consistent with timing measurement collection
Detection Strategies
- Implement dependency scanning to identify RustCrypto Signatures versions prior to 0.1.0-rc.2
- Monitor for anomalous signature request patterns that could indicate timing attack attempts
- Deploy network behavior analysis to detect adjacent hosts performing timing measurements
- Use Software Composition Analysis (SCA) tools to track vulnerable library versions in your codebase
Monitoring Recommendations
- Enable detailed logging for ML-DSA signature operations including request sources and timing
- Configure alerts for high-frequency signature requests from single sources
- Implement network segmentation monitoring to detect unauthorized adjacent network access
- Review dependency manifests regularly for outdated cryptographic library versions
How to Mitigate CVE-2026-22705
Immediate Actions Required
- Upgrade RustCrypto Signatures library to version 0.1.0-rc.2 or later immediately
- Audit all applications using ML-DSA signing functionality for vulnerable dependencies
- Consider rotating cryptographic keys if the vulnerable version was used in production environments
- Review network segmentation to limit adjacent network access to systems performing cryptographic operations
Patch Information
The vulnerability has been patched in RustCrypto Signatures version 0.1.0-rc.2. The fix replaces variable-time hardware division operations with constant-time Barrett reduction for all division computations in the cryptographic code paths.
The patch implements:
- A ConstantTimeDiv trait providing Barrett reduction-based division
- Const-generic NTT butterfly layer functions ensuring compile-time constant loop bounds
- Inline always annotations to prevent compiler optimizations that might reintroduce timing variations
For detailed patch information, refer to:
Workarounds
- Isolate systems performing ML-DSA operations from untrusted network segments
- Implement network access controls to prevent adjacent network positioning by potential attackers
- Consider using alternative constant-time signature implementations until upgrade is complete
- Add timing noise or rate limiting to signature operations as a temporary mitigation
# Update RustCrypto Signatures in Cargo.toml
# Ensure minimum version constraint for the patched release
# Update dependency version
cargo update -p signature
# Verify no vulnerable versions remain
cargo audit
# Check specific package version
cargo tree -p ml-dsa
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
