GHSA-fhvh-vw7h-9xf3: libcrux-ml-dsa: Signature Verification on AVX2 Platforms Mishandles Edge Case

May 19, 2026

The AVX2 implementation of ML-DSA verification incorrectly implemented the use_hint function, mishandling an edge case that should lead to signature rejection.

References

github.com/C2SP/wycheproof/pull/234
github.com/advisories/GHSA-fhvh-vw7h-9xf3
github.com/cryspen/libcrux/pull/1398
github.com/tink-crypto/tink-go/pull/48
rustsec.org/advisories/RUSTSEC-2026-0125.html

Code Behaviors & Features

Detect and mitigate GHSA-fhvh-vw7h-9xf3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →