{"id":"RUSTSEC-2026-0077","summary":"Incorrect Check of Signer Response Norm During Verification","details":"The ML-DSA verification algorithm as specified in [FIPS 204,\nsubsection\n6.3](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#subsection.6.3)\nrequires verifiers to check that the infinity norm of the deserialized\nsigner response $z$ does not exceed $\\gamma_1 - \\beta$ (line 13 of\nAlgorithm 8).\nThe same check is required to be performed during signature generation.\n\nlibcrux-ml-dsa did not perform this check correctly during signature\nverification, accepting signatures with signer response norm above the\nallowed maximum value.  The check is correctly performed during\nsigning.\n\n## Impact\nApplications using libcrux-ml-dsa for signature verification would\nhave accepted signatures that would be rejected by a conforming\nimplementation.\n\n## Mitigation\nStarting from version `0.0.8`, signature verification uses the correct\nvalue for $\\gamma_1$ in the signer response norm check.","aliases":["GHSA-cp57-fq8g-qh6v"],"modified":"2026-03-27T05:55:06Z","published":"2026-03-04T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/libcrux-ml-dsa"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0077.html"},{"type":"WEB","url":"https://github.com/cryspen/libcrux/pull/1347"}],"affected":[{"package":{"name":"libcrux-ml-dsa","ecosystem":"crates.io","purl":"pkg:cargo/libcrux-ml-dsa"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.0.8"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":["libcrux_ml_dsa::ml_dsa_44::verify","libcrux_ml_dsa::ml_dsa_65::verify","libcrux_ml_dsa::ml_dsa_87::verify"],"os":[]},"affected_functions":null},"database_specific":{"cvss":null,"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0077.json","categories":[]}}],"schema_version":"1.7.5"}