CVE-2026-46344

Name of the Vulnerable Software and Affected Versions liboqs versions prior to 0.16.0

Description An out-of-bounds read exists in the XMSS and XMSS^MT stateful signature verification code. This occurs when the verification function is called with a signature buffer sized for the declared algorithm, but the public key contains OID bytes (pk[0..3]) referencing a different XMSS parameter set with larger sig bytes. The implementation re-parses the OID within the xmss sign open() and xmssmt sign open() functions and uses the larger sig bytes value to index the signature buffer. The out-of-bounds bytes are used as input for an internal hash computation and are not returned to the caller, preventing data leakage. The primary impact is a potential denial of service via a process crash if the read accesses an unmapped memory page.

Recommendations Update to version 0.16.0.