CVE-2026-35199

Name of the Vulnerable Software and Affected Versions SymCrypt versions 103.5.0 through 103.10.999

Description SymCrypt, the core cryptographic function library used by Windows, contains a flaw in the SymCryptXmssSign function. When processing XMSS^MT parameter sets with a total tree height of 32 or greater, a 64-bit leaf count value is truncated to 32 bits when passed to a helper function. This truncation leads to an undersized scratch buffer allocation and a subsequent heap buffer overflow during signature computation. Exploitation requires an application using SymCrypt to perform an XMSS^MT signature with attacker-controlled parameter sets, which is uncommon due to the sensitive nature of signing operations. XMSS(^MT) signing should ideally be performed within a Hardware Security Module (HSM). SymCrypt provides XMSS(^MT) signing primarily for testing purposes. The vulnerability arises from the potential for state reuse in software-based XMSS(^MT) signing, compromising cryptographic security.

Recommendations Update to version 103.11.0 or later.