CVE-2026-24850
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 4 cargo packages depend on ml-dsa (3 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.0.4.
DescriptionGitHub Advisory
The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto ml-dsa crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be strictly increasing. The current implementation uses a non-strict monotonic check (<= instead of <), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict < comparison to <=, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue.
AnalysisAI
The RustCrypto ml-dsa crate versions 0.0.4 through 0.1.0-rc.3 incorrectly validate ML-DSA digital signatures by accepting duplicate hint indices that should be strictly increasing per the FIPS 204 specification, allowing attackers to forge valid signatures that should be rejected. This regression was introduced by a comparison operator change in version 0.0.4 and affects any application relying on this crate for signature verification. A patch is available in version 0.1.0-rc.4.
Technical ContextAI
This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) affects Starting in version 0.0.4 and. The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto ml-dsa crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be strictly increasing. The current implementation uses a non-strict monoto
Affected ProductsAI
Product: Starting in version 0.0.4 and. Versions: up to 0.1.0.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5x2r-hc65-25f9