CVE-2026-46344: CWE-125: Out-of-bounds Read in open-quantum-safe liboqs
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a correctly-sized signature buffer for the declared algorithm but a public key whose OID bytes (pk[0..3]) reference a different XMSS parameter set with a larger sig_bytes, the implementation re-parses the OID from the public key inside xmss_sign_open / xmssmt_sign_open and uses the resulting (larger) sig_bytes to index the caller-supplied signature buffer. As with CVE-2026-44518, the out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0.
AI Analysis
Technical Summary
liboqs, a C cryptographic library implementing post-quantum algorithms, had an out-of-bounds read vulnerability (CWE-125) in its XMSS and XMSS^MT stateful signature verification code prior to version 0.16.0. The issue arises when the verification function is called with a signature buffer sized for one algorithm but a public key whose OID references a different XMSS parameter set with a larger signature size. The code re-parses the OID and uses the larger signature size to index into the signature buffer, reading beyond its bounds. This out-of-bounds data is only consumed internally in a hash computation and is not returned or leaked, so no oracle exists for data disclosure. The primary observable effect is a possible crash of the verifying process due to invalid memory access, leading to denial of service. The vulnerability is fixed in liboqs version 0.16.0.
Potential Impact
The vulnerability can cause the verifying process to crash if the out-of-bounds read crosses into unmapped memory, resulting in denial of service. There is no confidentiality or integrity impact as the out-of-bounds data is not exposed or leaked to an attacker. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade liboqs to version 0.16.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 0.16.0, applying this official fix is the recommended remediation. No additional mitigation is required.
CVE-2026-46344: CWE-125: Out-of-bounds Read in open-quantum-safe liboqs
Description
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a correctly-sized signature buffer for the declared algorithm but a public key whose OID bytes (pk[0..3]) reference a different XMSS parameter set with a larger sig_bytes, the implementation re-parses the OID from the public key inside xmss_sign_open / xmssmt_sign_open and uses the resulting (larger) sig_bytes to index the caller-supplied signature buffer. As with CVE-2026-44518, the out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
liboqs, a C cryptographic library implementing post-quantum algorithms, had an out-of-bounds read vulnerability (CWE-125) in its XMSS and XMSS^MT stateful signature verification code prior to version 0.16.0. The issue arises when the verification function is called with a signature buffer sized for one algorithm but a public key whose OID references a different XMSS parameter set with a larger signature size. The code re-parses the OID and uses the larger signature size to index into the signature buffer, reading beyond its bounds. This out-of-bounds data is only consumed internally in a hash computation and is not returned or leaked, so no oracle exists for data disclosure. The primary observable effect is a possible crash of the verifying process due to invalid memory access, leading to denial of service. The vulnerability is fixed in liboqs version 0.16.0.
Potential Impact
The vulnerability can cause the verifying process to crash if the out-of-bounds read crosses into unmapped memory, resulting in denial of service. There is no confidentiality or integrity impact as the out-of-bounds data is not exposed or leaked to an attacker. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade liboqs to version 0.16.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 0.16.0, applying this official fix is the recommended remediation. No additional mitigation is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T18:37:30.990Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19dc07e29bf47b50ff85d3
Added to database: 5/29/2026, 6:33:43 PM
Last enriched: 5/29/2026, 7:03:47 PM
Last updated: 5/31/2026, 4:54:14 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.