The vulnerability CVE-2026-24850 affects the RustCrypto ml-dsa crate, a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA), which is specified in FIPS 204 and RFC 9881. The flaw is a regression introduced in version 0.0.4 where the signature verification logic incorrectly accepts signatures containing duplicate hint indices within polynomials. According to the ML-DSA specification, hint indices must be strictly increasing, meaning each subsequent index must be greater than the previous one. However, the affected versions use a non-strict monotonic check (<=) rather than a strict (<) comparison, allowing repeated indices. This improper verification (CWE-347) undermines the integrity of the signature verification process, potentially enabling attackers to craft signatures that bypass verification or cause incorrect acceptance of invalid signatures. The original implementation was correct, but a code change introduced this regression. The vulnerability affects all versions from 0.0.4 up to but not including 0.1.0-rc.4, where the issue was corrected. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the vulnerability can be exploited remotely without authentication or user interaction, impacting integrity but not confidentiality or availability. No known exploits have been reported in the wild, but the flaw poses a risk to any system relying on this crate for cryptographic signature verification.

For European organizations, the primary impact of this vulnerability lies in the potential compromise of cryptographic signature integrity. Systems relying on the affected versions of the RustCrypto ml-dsa crate for digital signatures may incorrectly validate forged or tampered signatures, leading to unauthorized code execution, bypass of security controls, or acceptance of malicious updates or communications. This can undermine trust in software supply chains, secure communications, and authentication mechanisms. Although confidentiality and availability are not directly impacted, the integrity breach can facilitate further attacks such as privilege escalation or data manipulation. Organizations in sectors with high reliance on cryptographic assurance—such as finance, government, telecommunications, and critical infrastructure—are particularly at risk. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure. Failure to update vulnerable systems could expose European entities to targeted attacks or supply chain compromises.

European organizations should promptly identify any usage of the RustCrypto ml-dsa crate within their software stacks, particularly versions >=0.0.4 and <0.1.0-rc.4. The primary mitigation is to upgrade to version 0.1.0-rc.4 or later, where the strict comparison bug is fixed. For organizations unable to upgrade immediately, code audits should be conducted to verify signature verification logic and ensure no acceptance of duplicate hint indices. Implement additional signature validation layers or fallback checks to detect anomalies in signature structures. Incorporate cryptographic agility practices to allow rapid replacement of vulnerable components. Monitor threat intelligence feeds for any emerging exploits targeting this vulnerability. For critical systems, consider isolating or restricting the use of affected components until patched. Finally, enforce secure software development lifecycle practices to detect and prevent similar regressions in cryptographic code.