CVE-2026-24850 identifies a cryptographic signature verification vulnerability in the RustCrypto ml-dsa crate, which implements the Module-Lattice-Based Digital Signature Standard (ML-DSA) as specified in FIPS 204 and RFC 9881. The vulnerability stems from a regression introduced in version 0.0.4 where the code changed the verification logic for hint indices within each polynomial from a strict monotonic check ('<') to a non-strict one ('<='). According to the ML-DSA specification, hint indices must be strictly increasing to ensure signature validity and security. The flawed implementation allows signatures containing duplicate hint indices to be accepted as valid, violating the cryptographic integrity guarantees. This improper verification can enable attackers to forge signatures or bypass signature checks, undermining the trustworthiness of signed data. The vulnerability affects all versions starting from 0.0.4 up to but excluding 0.1.0-rc.4, where the bug was corrected. The CVSS v3.1 score is 5.3 (medium), reflecting that the vulnerability can be exploited remotely without privileges or user interaction, impacting integrity but not confidentiality or availability. No known exploits have been reported in the wild to date. The vulnerability is classified under CWE-347: Improper Verification of Cryptographic Signature. The regression was introduced inadvertently during development, highlighting the importance of strict adherence to cryptographic specifications and thorough code reviews in security-critical components. Organizations using the affected crate in their Rust-based cryptographic solutions should upgrade to version 0.1.0-rc.4 or later to remediate the issue.

The primary impact of CVE-2026-24850 is on the integrity of cryptographic signatures verified using the affected RustCrypto ml-dsa crate versions. By accepting signatures with duplicate hint indices, attackers can potentially forge signatures or bypass signature verification, leading to unauthorized actions, data manipulation, or the acceptance of malicious code or messages as legitimate. For European organizations, this can compromise software supply chains, secure communications, and authentication mechanisms relying on ML-DSA signatures implemented via this crate. Although confidentiality and availability are not directly affected, the loss of integrity can have cascading effects, such as unauthorized access, fraud, or disruption of trust in digital systems. The vulnerability is exploitable remotely without authentication or user interaction, increasing the risk profile. However, exploitation requires the attacker to craft signatures with specific malformed hint indices, which may limit widespread exploitation. The absence of known exploits in the wild suggests limited active targeting so far, but the medium severity score indicates a meaningful risk if the vulnerable versions are deployed in critical systems. European sectors with high reliance on Rust-based cryptography, including finance, telecommunications, and government digital services, could face targeted attacks leveraging this flaw.

To mitigate CVE-2026-24850, European organizations should immediately identify any usage of the RustCrypto ml-dsa crate versions >= 0.0.4 and < 0.1.0-rc.4 within their software stacks, especially in cryptographic signature verification components. The primary remediation is to upgrade to version 0.1.0-rc.4 or later, where the strict monotonic check for hint indices is correctly enforced. Organizations should audit their cryptographic implementations to ensure compliance with ML-DSA specifications and verify that no custom patches or forks reintroduce the vulnerability. Implementing additional signature validation layers or fuzz testing on signature inputs can help detect malformed signatures with duplicate indices. Security teams should monitor for suspicious signature verification failures or anomalies in logs that might indicate attempted exploitation. Incorporating cryptographic code reviews and automated static analysis tools focused on signature verification logic can prevent similar regressions. For critical systems, consider deploying runtime integrity checks or cryptographic hardware modules that enforce strict signature validation. Finally, maintain awareness of updates from RustCrypto and related cryptographic libraries to promptly apply security patches.