Description
CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer overflow in crypto_sign_open() caused by an underflow of the integer mlen. This issue has been patched via commit fc6b7e7.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer underflow in the mlen parameter of crypto_sign_open() causes a buffer overflow while processing a signature. This overflow occurs in the CROSS implementation of the post‑quantum signature algorithm and can corrupt memory used by the process. If an attacker supplies a specially crafted signature, the overflow could result in arbitrary code execution, privilege escalation, or denial of service. The vulnerability is classified as stack‑based buffer overflow (CWE‑121) and general buffer overflow (CWE‑122).

Affected Systems

The issue affects all versions of CROSS‑implementation from the CROSS‑signature project that have not incorporated the fix commit fc6b7e7. This includes any deployments that utilize the reference or optimized implementations of the CROSS algorithm prior to applying the patch.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk severity. Though the EPSS score is not available, the lack of listing in the CISA KEV catalog suggests that widespread exploitation has not yet been observed. Nevertheless, because the vulnerability is triggered by a crafted input to a cryptographic routine, the likely attack vector would involve an attacker sending malicious signatures over an exposed interface that invokes crypto_sign_open().

Generated by OpenCVE AI on May 8, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch contained in commit fc6b7e7 (see the GitHub commit link) or upgrade to the latest release of CROSS‑implementation that includes the fix
  • If upgrading is not immediately possible, replace or disable use of crypto_sign_open() in untrusted code paths until the patch is applied
  • Monitor system logs or crash reports for abnormal memory usage or process crashes that could indicate exploitation attempts

Generated by OpenCVE AI on May 8, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer overflow in crypto_sign_open() caused by an underflow of the integer mlen. This issue has been patched via commit fc6b7e7.
Title Integer underflow in crypto_sign_open() leads to buffer overflow
Weaknesses CWE-121
CWE-122
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T14:15:21.680Z

Reserved: 2026-04-20T18:18:50.681Z

Link: CVE-2026-41509

cve-icon Vulnrichment

Updated: 2026-05-08T14:15:17.954Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T14:16:34.287

Modified: 2026-05-08T16:08:15.570

Link: CVE-2026-41509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T16:30:12Z

Weaknesses