The AVX2 implementation of ML-DSA verification incorrectly implemented the use hint function, mishandling an edge case that should lead to signature rejection.

An attacker could make the ML-DSA verifier accept a crafted invalid signature under a maliciously generated verification key, if the AVX2 implementation is used.

From version 0.0.9 the edge case is handled correctly and invalid signatures are rejected.