An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker to escalate privileges via the crypto_sign_signature parameter in the /pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c component.
The vulnerability affects the pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c component responsible for generating digital signatures compliant with the ML-DSA (CRYSTALS-Dilithium) standard. An attacker can manipulate the crypto_sign_signature parameter, which — according to related CWE — indicates the use of weak or attack-vulnerable cryptographic algorithm (CWE-327) and insufficient signature verification (CWE-1319). References point to an attack technique involving fault injection in ML-DSA implementation, which allows bypassing signature verification mechanisms.
Successful attack enables remote attacker to escalate privileges, which may lead to complete breach of confidentiality, integrity, and availability of protected resources.
Apply patches available from the vendor according to references. It is recommended to monitor the project repository (https://github.com/open-quantum-safe/liboqs) for information about available updates and verify that the used version of liboqs library has been updated to a version that eliminates the described vulnerability.
Open Quantum Safe liboqs version 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenquantumsafe Liboqs
APPOpenquantumsafe0.10.0
Related vulnerabilities
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algori...
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algori...
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algori...
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algori...
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algori...