CVE-2026-44518 open-quantum-safe CVE debrief

Who should care

Organizations deploying post-quantum cryptographic systems using liboqs for XMSS or XMSS^MT signatures, particularly those exposing signature verification to untrusted network input. Developers integrating stateful hash-based signatures into security-critical applications where availability is paramount.

Technical summary

The vulnerability exists in the XMSS and XMSS^MT stateful hash-based signature schemes implemented in liboqs. The verification function fails to check that the caller-provided signature buffer meets the minimum length requirement for the selected parameter set. When a short buffer is supplied, the implementation performs an out-of-bounds read during signature parsing. The read bytes are used exclusively as input to internal hash operations and are not exposed to the caller, eliminating information disclosure risk. The primary impact is potential segmentation fault and process termination if the memory access crosses into unmapped pages.

Defensive priority

medium

Recommended defensive actions

• Upgrade liboqs to version 0.16.0 or later to remediate the out-of-bounds read vulnerability
• Validate signature buffer lengths in application code before passing to liboqs verification functions if immediate patching is not feasible
• Monitor application logs for unexpected crashes in cryptographic verification paths that may indicate exploitation attempts
• Review custom integrations using liboqs XMSS or XMSS^MT for proper input validation practices

Evidence notes

CVE description confirms out-of-bounds read in XMSS/XMSS^MT verification with no information disclosure oracle. GitHub advisory and commit ef70dea7c85e5637f37828d75e5b9bb29dbfe513 provide fix confirmation. CVSS 5.3 (MEDIUM) reflects network-accessible denial of service with low attack complexity.

Official resources