GHSA-xrf2-5r3p-5wgj: libcrux: Panic in Signature Hint Decoding During Verification

March 26, 2026

During ML-DSA verification the serialized hint values are decoded as specified in algorithm 22 HintBitUnpack of FIPS 204, subsection 7.1. The algorithm requires that the cumulative hint counters per row of the hint vector are strictly increasing and below a maximum value which depends on the choice of ML-DSA parameter set (line 4).

In libcrux-ml-dsa, hint decoding did not check the boundedness of the cumulative hint counter of the last row of the hint vector.

References

github.com/advisories/GHSA-xrf2-5r3p-5wgj
github.com/cryspen/libcrux
github.com/cryspen/libcrux/pull/1348
rustsec.org/advisories/RUSTSEC-2026-0076.html

Code Behaviors & Features

Detect and mitigate GHSA-xrf2-5r3p-5wgj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →