CVE-2026-24850
📋 TL;DR
This vulnerability in the ML-DSA Rust crate allows attackers to forge digital signatures by exploiting a validation flaw where duplicate hint indices are incorrectly accepted. Systems using ML-DSA for cryptographic signatures in affected versions are vulnerable to signature forgery attacks. This affects any application relying on ML-DSA for authentication or integrity verification.
💻 Affected Systems
- ML-DSA Rust crate (RustCrypto implementation)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of cryptographic integrity, allowing attackers to forge signatures for arbitrary data, potentially leading to authentication bypass, data tampering, or system compromise.
Likely Case
Signature forgery enabling unauthorized access or data manipulation in systems using ML-DSA for verification.
If Mitigated
Limited impact if additional signature validation layers exist or if ML-DSA is used in non-critical contexts.
🎯 Exploit Status
Wycheproof test vectors exist for verification testing. Exploitation requires generating signatures with duplicate hint indices, which violates the ML-DSA specification but passes the flawed validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.0-rc.4 and later
Vendor Advisory: https://github.com/RustCrypto/signatures/tree/master/ml-dsa
Restart Required: Yes
Instructions:
1. Update Cargo.toml to specify ml-dsa >= 0.1.0-rc.4
2. Run 'cargo update'
3. Rebuild and redeploy application
4. Restart affected services
🔧 Temporary Workarounds
Pin to secure version
allForce dependency to use pre-0.0.4 version that had correct implementation
cargo update -p ml-dsa --precise 0.0.3
🧯 If You Can't Patch
- Implement additional signature validation layer using independent cryptographic library
- Disable or restrict systems using ML-DSA signatures until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock or run 'cargo tree | grep ml-dsa' to see if version is between 0.0.4 and 0.1.0-rc.3Check Version:
cargo tree | grep ml-dsa | head -1Verify Fix Applied:
Verify ml-dsa version is 0.1.0-rc.4 or later using 'cargo tree | grep ml-dsa' and test with Wycheproof test vectors📡 Detection & Monitoring
Log Indicators:
- Failed signature verifications, unexpected authentication successes, cryptographic validation errors
Network Indicators:
- Unusual signature patterns in network traffic, authentication attempts with malformed signatures
SIEM Query:
source="application_logs" AND ("signature verification" OR "ml-dsa") AND ("failed" OR "unexpected")🔗 References
- https://csrc.nist.gov/pubs/fips/204/final
- https://datatracker.ietf.org/doc/html/rfc9881
- https://github.com/C2SP/wycheproof
- https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json
- https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json
- https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json
- https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a
- https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38
- https://github.com/RustCrypto/signatures/issues/894
- https://github.com/RustCrypto/signatures/pull/895
- https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9
