- Reported
-
- Issued
-
- Package
-
libcrux-ml-dsa
(crates.io)
- Type
-
Vulnerability
- References
-
- CVSS Score
- 8.7
HIGH
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- None
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- High
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- None
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- Patched
-
- Affected Functions
- Version
libcrux_ml_dsa::ml_dsa_44::verify-
libcrux_ml_dsa::ml_dsa_65::verify-
libcrux_ml_dsa::ml_dsa_87::verify-
Description
During ML-DSA verification the serialized hint values are decoded as
specified in algorithm 22 HintBitUnpack of FIPS 204, subsection
7.1. The
algorithm requires that the cumulative hint counters per row of the
hint vector are strictly increasing and below a maximum value which
depends on the choice of ML-DSA parameter set (line 4).
In libcrux-ml-dsa, hint decoding did not check the boundedness of the
cumulative hint counter of the last row of the hint vector.
Impact
A manipulated invalid hint can cause an out-of-bounds memory access
since the hint decoding logic may attempt to read outside the bounds
of the serialized signature, causing a runtime panic.
Mitigation
Starting from version 0.0.8, hint decoding will check the cumulative
hint counter of the last row as well.
Advisory available under CC0-1.0
license.