PT-2026-2255 · Unknown · Rustcrypto Signatures
Tob-Scott-A
·
Publicado
2025-12-12
·
Atualizado
2026-02-02
·
CVE-2026-22705
CVSS v3.1
6.4
Média
| Vetor | AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
RustCrypto versions prior to 0.1.0-rc.2
Description
RustCrypto: Signatures provides support for digital signatures using public-key cryptography. A timing side-channel was discovered in the Decompose algorithm, which is used during ML-DSA signing to generate hints for the signature. This issue allows an attacker with precise timing measurements to potentially extract information about the signing key by observing timing variations during the division operation. The
decompose function originally used a hardware division instruction which has variable timing based on operand values. The division operation involved secret-derived data, making it susceptible to timing attacks. The issue was addressed by replacing the integer division with a constant-time Barrett reduction.Recommendations
Update to version 0.1.0-rc.2 or later.
Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Rustcrypto Signatures