Description
The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue.
Published: 2026-01-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Forged signature acceptance
Action: Apply Patch
AI Analysis

Impact

The ML-DSA crate in the RustCrypto signatures library implements the Module‑Lattice‑Based Digital Signature Standard. A regression in version 0.0.4 changed a strict increasing hint‑index check to a non‑strict one, allowing signatures that contain duplicate hint indices. The specification requires strictly increasing indices; by accepting duplicates the verification process incorrectly accepts malformed signatures, potentially enabling an attacker to forge a valid signature and bypass authenticity checks. This flaw is a correctness failure (CWE‑347).

Affected Systems

The vulnerability is present in the RustCrypto signatures library, specifically the ml‑dsa crate, from version 0.0.4 up to and including 0.1.0-rc.3. Any application that uses these crate versions for ML‑DSA signature verification is affected. The issue was fixed starting with version 0.1.0-rc.4.

Risk and Exploitability

The CVSS base score is 5.3, indicating medium severity, while the EPSS score is less than 1 %, showing a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited real‑world exploitation. An attacker would need to supply a forged signature containing duplicate hint indices to a system that accepts external signatures, which is an unprivileged attack scenario. The impact is limited to the integrity of signed data but could be critical in contexts where authentic signatures are required.

Generated by OpenCVE AI on April 18, 2026 at 01:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RustCrypto signatures ml‑dsa crate to version 0.1.0‑rc.4 or later and rebuild your application.
  • Redeploy the updated application so that the fixed verification logic is active.
  • Verify that signature verification passes the wycheproof ml‑dsa test vectors to ensure compliance.
  • If the update cannot be applied immediately, consider temporarily blocking signatures with non‑increasing hint indices in your application logic or switching to a different signature scheme until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 01:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5x2r-hc65-25f9 ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices
History

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustcrypto
Rustcrypto ml-dsa
Vendors & Products Rustcrypto
Rustcrypto ml-dsa

Wed, 28 Jan 2026 01:00:00 +0000

Type Values Removed Values Added
Description The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue.
Title ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Rustcrypto Ml-dsa
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T14:54:22.827Z

Reserved: 2026-01-27T14:51:03.060Z

Link: CVE-2026-24850

cve-icon Vulnrichment

Updated: 2026-01-28T14:54:14.295Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T01:16:15.097

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses