CVE-2024-31510 – A vulnerability in Open Quantum Safe liboqs v10... (How to Fix)

Q: What is the severity of CVE-2024-31510?

CVE-2024-31510 has a CVSS score of 9.8 (CRITICAL). A vulnerability in Open Quantum Safe liboqs v10.0 allows remote attackers to escalate privileges via a fault injection attack on the crypto_sign_signature parameter in the ML-DSA implementation. This affects systems using liboqs for post-quantum cryptography, particularly those implementing ML-DSA signatures. Attackers could potentially forge signatures or bypass authentication mechanisms.

📋 TL;DR

A vulnerability in Open Quantum Safe liboqs v10.0 allows remote attackers to escalate privileges via a fault injection attack on the crypto_sign_signature parameter in the ML-DSA implementation. This affects systems using liboqs for post-quantum cryptography, particularly those implementing ML-DSA signatures. Attackers could potentially forge signatures or bypass authentication mechanisms.

💻 Affected Systems

Products:

Open Quantum Safe liboqs

Versions: Version 10.0

Operating Systems: All platforms where liboqs is compiled and used

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the ML-DSA implementation (pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2) for digital signatures. Systems using other algorithms or not using the AVX2-optimized implementation may not be vulnerable.

📦 What is this software?

Liboqs by Openquantumsafe

View all CVEs affecting Liboqs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation leading to unauthorized access, data theft, or service disruption in systems relying on ML-DSA signatures for authentication or integrity verification.

🟠

Likely Case

Signature forgery allowing attackers to impersonate legitimate users or services, potentially bypassing authentication controls in applications using vulnerable liboqs implementations.

🟢

If Mitigated

Limited impact if systems have additional security layers, proper input validation, or don't use the vulnerable ML-DSA component in critical authentication paths.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires fault injection capabilities (like voltage glitching or clock glitching) to manipulate the crypto_sign_signature parameter during signature generation. Public proof-of-concept demonstrates the attack methodology.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 0.10.1 or later

Vendor Advisory: https://github.com/open-quantum-safe/liboqs

Restart Required: Yes

Instructions:

1. Check current liboqs version. 2. Update to liboqs version 0.10.1 or later. 3. Recompile and relink applications using liboqs. 4. Restart affected services. 5. Verify the fix by testing signature functionality.

🔧 Temporary Workarounds

Disable vulnerable ML-DSA component

all

Temporarily disable or avoid using the affected ML-DSA implementation (pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2) in liboqs

Reconfigure applications to use alternative signature algorithms not affected by this vulnerability

Implement fault injection countermeasures

all

Add hardware or software-based fault injection detection mechanisms

Implement redundant signature verification
Add checksum validation on signature parameters

🧯 If You Can't Patch

Isolate systems using vulnerable liboqs implementation behind additional network security controls
Implement application-level signature verification with multiple independent checks

🔍 How to Verify

Check if Vulnerable:

Check if liboqs version is 0.10.0 and if applications use the ML-DSA signature implementation. Review application code for calls to vulnerable functions.

Check Version:

ldd --version | grep liboqs or check application dependencies for liboqs version

Verify Fix Applied:

Verify liboqs version is 0.10.1 or later and test signature generation/verification functionality with the ML-DSA implementation.

📡 Detection & Monitoring

Log Indicators:

Multiple failed signature verification attempts
Unexpected signature validation errors
Anomalous authentication patterns

Network Indicators:

Unusual traffic patterns to services using post-quantum cryptography
Multiple authentication requests with similar timing

SIEM Query:

source="application_logs" AND (signature_failure OR auth_failure) AND process="*liboqs*"

📊 Metadata

CVE ID: CVE-2024-31510

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-327

Published: May 24, 2024

Last Updated: August 20, 2025

🔗 References

https://gist.github.com/liang-junkai/a9fc693f8bdf176e9d9f56773bf20703 Third Party Advisory
https://github.com/liang-junkai/Fault-injection-of-ML-DSA Exploit,Mitigation
https://github.com/open-quantum-safe/liboqs Product
https://gist.github.com/liang-junkai/a9fc693f8bdf176e9d9f56773bf20703 Third Party Advisory
https://github.com/liang-junkai/Fault-injection-of-ML-DSA Exploit,Mitigation
https://github.com/open-quantum-safe/liboqs Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31510, you might also want to check these: