CVE-2026-41509 Overview
CVE-2026-41509 is a stack-based buffer overflow [CWE-121] in the CROSS post-quantum signature algorithm implementation maintained by the CROSS-signature project. The flaw resides in the crypto_sign_open() function, where an attacker-controlled smlen value smaller than sizeof(CROSS_sig_t) causes the computed mlen to underflow. The underflow produces an extremely large unsigned length that drives subsequent memory operations beyond their intended bounds. The defect affects all builds of cross-crypto:cross-implementation prior to commit fc6b7e7.
Critical Impact
A network-reachable attacker can submit a malformed signed message to trigger memory corruption in the verifier, leading to integrity and availability impact on cryptographic operations.
Affected Products
- CROSS-signature CROSS-implementation reference build prior to commit fc6b7e7
- CROSS-signature CROSS-implementation optimized build prior to commit fc6b7e7
- Downstream projects integrating the vulnerable crypto_sign_open() API
Discovery Timeline
- 2026-05-08 - CVE-2026-41509 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41509
Vulnerability Analysis
The CROSS reference and optimized implementations expose crypto_sign_open() to verify a signed message. The function computes the original message length by subtracting the fixed structure size sizeof(CROSS_sig_t) from the caller-supplied smlen. When smlen is smaller than that structure size, the subtraction on an unsigned mlen wraps around to a near-SIZE_MAX value.
Downstream code then treats this wrapped value as a valid length when copying or reading signature material from the stack-resident buffers used by the verifier. The result is an out-of-bounds access classified under [CWE-121] stack-based buffer overflow. The condition is reachable without authentication because verification routines are exposed to any party able to submit a signature.
Root Cause
The root cause is missing input validation on the signed-message length before performing pointer arithmetic. The implementation assumed smlen >= sizeof(CROSS_sig_t) without enforcing that invariant. Unsigned integer underflow then converts a short input into an oversized length used by later memory operations.
Attack Vector
Exploitation requires the attacker to deliver a crafted signed message to any service that calls crypto_sign_open() from the vulnerable build. No privileges, user interaction, or local access are required. Impact is bounded by what the verifier process can reach in memory, with confirmed integrity and availability effects on the cryptographic primitive.
// Source: https://github.com/CROSS-signature/CROSS-implementation/commit/fc6b7e78cdf789bb5c395a81dc601356f1383da0
// Patch in Reference_Implementation/lib/sign.c - enforces minimum smlen
const unsigned char *pk) // in parameter
{
+ if (smlen < (size_t) sizeof(CROSS_sig_t)) {
+ return -1;
+ }
+
/* verify returns 1 if signature is ok, 0 otherwise */
*mlen = smlen-(unsigned long long) sizeof(CROSS_sig_t);
The patch adds an explicit length check that returns -1 before the subtraction, eliminating the underflow path.
Detection Methods for CVE-2026-41509
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes that invoke crypto_sign_open() on CROSS signatures
- Inbound signed-message payloads where total length is shorter than the expected CROSS_sig_t structure size
- Repeated verification failures from a single source preceding service instability
Detection Strategies
- Inspect dependency manifests and build artifacts for cross-crypto:cross-implementation checkouts prior to commit fc6b7e7
- Instrument verifier entry points with bounds assertions on smlen to log undersized inputs
- Run fuzzing harnesses against crypto_sign_open() with truncated signed-message buffers to surface vulnerable builds
Monitoring Recommendations
- Forward verifier process crash reports and core dumps to a centralized log pipeline for correlation
- Track abnormal rates of signature verification failures per source identity
- Monitor binaries linked against pre-patch CROSS object files using software composition analysis
How to Mitigate CVE-2026-41509
Immediate Actions Required
- Update the CROSS-implementation source tree to commit fc6b7e7 or later and rebuild all dependent binaries
- Audit applications and libraries that statically link CROSS verifier code and redeploy them
- Restrict exposure of signature verification endpoints to trusted callers until patched builds are deployed
Patch Information
The upstream fix is available in CROSS-implementation commit fc6b7e7. Additional details are documented in GitHub Security Advisory GHSA-w72c-hgx8-p7cv. Consumers must rebuild and redistribute artifacts that embed the affected sources.
Workarounds
- Wrap calls to crypto_sign_open() with a caller-side check that rejects inputs where smlen < sizeof(CROSS_sig_t)
- Place the verifier behind a length-validating proxy that drops undersized signed messages before they reach the cryptographic library
- Disable the affected verification path in services that do not require CROSS signatures until patched builds are available
# Pin the patched commit in a git submodule consumer
cd third_party/CROSS-implementation
git fetch origin
git checkout fc6b7e78cdf789bb5c395a81dc601356f1383da0
cd ../..
git add third_party/CROSS-implementation
git commit -m "Bump CROSS-implementation to fc6b7e7 (CVE-2026-41509)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
