GHSA-h37v-hp6w-2pp8: ml-dsa's UseHint function has off by two error when r0 equals zero

February 2, 2026

There’s a bug in the use_hint function where it adds 1 instead of subtracting 1 when the decomposed low bits r0 equal exactly zero. FIPS 204 Algorithm 40 is pretty clear that r0 > 0 means strictly positive, but the current code treats zero as positive. This causes valid signatures to potentially fail verification when this edge case gets hit.

References

github.com/RustCrypto/signatures
github.com/RustCrypto/signatures/commit/10f4ff04cb43ef2b789ee06e885f11cd054b1335
github.com/RustCrypto/signatures/security/advisories/GHSA-h37v-hp6w-2pp8
github.com/advisories/GHSA-h37v-hp6w-2pp8

Code Behaviors & Features

Detect and mitigate GHSA-h37v-hp6w-2pp8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →