CVE-2026-24850 Overview
CVE-2026-24850 is a cryptographic vulnerability in the RustCrypto ml-dsa crate, a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). The vulnerability exists in the signature verification implementation, which incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be strictly increasing. The flawed implementation uses a non-strict monotonic check (<= instead of <), allowing duplicate indices and potentially accepting invalid signatures.
Critical Impact
This vulnerability allows attackers to craft malformed signatures with duplicate hint indices that will be incorrectly validated as authentic, potentially undermining the integrity guarantees provided by ML-DSA digital signatures in post-quantum cryptographic applications.
Affected Products
- RustCrypto ml-dsa crate versions 0.0.4 through 0.1.0-rc.3
- Applications and libraries depending on vulnerable ml-dsa crate versions
- Systems implementing ML-DSA signature verification using the affected crate
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-24850 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24850
Vulnerability Analysis
This vulnerability represents a regression bug introduced in version 0.0.4 of the ml-dsa crate. The original implementation correctly enforced strict monotonicity of hint indices during signature verification, but a code change inadvertently modified the comparison operator from < (strict less than) to <= (less than or equal), violating the ML-DSA specification requirements.
The ML-DSA algorithm uses hint values as part of its signature scheme to help verifiers recover certain intermediate values during verification. According to the specification, these hint indices must be strictly increasing within each polynomial to ensure unique representation and prevent signature malleability. By accepting duplicate indices, the implementation deviates from the standard behavior defined in FIPS 204, potentially allowing signatures that should be rejected to pass verification.
The vulnerability was identified through Wycheproof test vectors, which are specifically designed to catch edge cases and implementation flaws in cryptographic libraries.
Root Cause
The root cause is an incorrect comparison operator in the hint index validation logic within ml-dsa/src/hint.rs. The original monotonic() helper function was replaced with an inline check, but the comparison was incorrectly implemented as <= instead of <. This means two consecutive hint indices with the same value would pass validation when they should be rejected per the ML-DSA specification. The CWE-347 (Improper Verification of Cryptographic Signature) classification accurately reflects this improper signature verification flaw.
Attack Vector
An attacker can exploit this vulnerability by crafting ML-DSA signatures containing duplicate hint indices. When these malformed signatures are verified by an application using the vulnerable ml-dsa crate, they will incorrectly pass verification. This could be leveraged in scenarios where signature validity is critical, such as:
- Authentication systems relying on ML-DSA for identity verification
- Software distribution systems using ML-DSA for package signing
- Document signing applications implementing post-quantum cryptography
- Blockchain or distributed ledger systems using ML-DSA signatures
The following code shows the security patch applied to fix the vulnerability:
let gamma2 = TwoGamma2::U32 / 2;
if h && r0.0 <= gamma2 {
Elem::new((r1.0 + 1) % m)
- } else if h && r0.0 > BaseField::Q - gamma2 {
+ } else if h && r0.0 >= BaseField::Q - gamma2 {
Elem::new((r1.0 + m - 1) % m)
} else if h {
// We use the Elem encoding even for signed integers. Since r0 is computed
- // mod+- 2*gamma2, it is guaranteed to be in (gamma2, gamma2].
+ // mod+- 2*gamma2 (possibly minus 1), it is guaranteed to be in [-gamma2, gamma2].
unreachable!();
} else {
r1
}
}
-#[derive(Clone, PartialEq)]
+#[derive(Clone, PartialEq, Debug)]
pub struct Hint<P>(pub Array<Array<bool, U256>, P::K>)
where
P: SignatureParams;
Source: RustCrypto Commit #b01c3b73
Detection Methods for CVE-2026-24850
Indicators of Compromise
- Applications accepting signatures with duplicate hint indices that would be rejected by compliant implementations
- Unexpected signature verification successes when processing non-standard or malformed ML-DSA signatures
- Discrepancies between signature verification results when comparing against reference implementations
Detection Strategies
- Run the Wycheproof ML-DSA test vectors against your ML-DSA implementation to identify verification failures
- Audit application dependencies using cargo audit or similar tools to identify vulnerable ml-dsa crate versions
- Implement cross-validation by verifying critical signatures against multiple independent ML-DSA implementations
- Review build manifests and lock files for ml-dsa versions between 0.0.4 and 0.1.0-rc.3
Monitoring Recommendations
- Monitor for dependency updates in Rust projects using the ml-dsa crate
- Set up automated alerts for security advisories related to RustCrypto libraries
- Implement logging for signature verification operations to enable forensic analysis if needed
How to Mitigate CVE-2026-24850
Immediate Actions Required
- Upgrade the ml-dsa crate to version 0.1.0-rc.4 or later immediately
- Audit any signatures verified during the period the vulnerable version was in use
- Review dependent applications and libraries that may have inherited the vulnerability
- Re-verify critical signatures using the patched implementation
Patch Information
The vulnerability is fixed in version 0.1.0-rc.4 of the ml-dsa crate. The fix restores the correct strict monotonicity check for hint indices during signature verification. Details of the fix can be found in Pull Request #895 and the GitHub Security Advisory GHSA-5x2r-hc65-25f9.
Workarounds
- If immediate upgrade is not possible, implement a pre-verification check that validates hint indices are strictly increasing before passing signatures to the ml-dsa verification function
- Consider using an alternative ML-DSA implementation temporarily until the upgrade can be applied
- Add additional validation layer at the application level to reject signatures with duplicate hint indices
# Update ml-dsa crate in Cargo.toml
cargo update -p ml-dsa --precise 0.1.0-rc.4
# Verify the update
cargo tree -p ml-dsa
# Run Wycheproof tests to confirm fix
cargo test --package ml-dsa -- wycheproof
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
