PatchSiren cyber security CVE debrief

CVE-2026-46344 open-quantum-safe CVE debrief

## Summary CVE-2026-46344 is a medium-severity out-of-bounds read vulnerability in the Open Quantum Safe liboqs cryptographic library, affecting versions prior to 0.16.0. The flaw exists in the XMSS and XMSS^MT stateful signature verification code, where a mismatch between the signature buffer size and the public key's OID-derived parameter set can cause the verification function to read beyond the allocated signature buffer. The vulnerability was published on 2026-05-29. ## Technical Details The vulnerability stems from improper parameter validation in the XMSS/XMSS^MT signature verification implementation. When `xmss_sign_open` or `xmssmt_sign_open` is invoked, the function re-parses the OID from the provided public key to determine the expected signature size (`sig_bytes`). If an attacker supplies a public key with OID bytes referencing a parameter set with a larger signature size than the actual signature buffer provided, the function will attempt to read beyond the buffer boundary. The out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, preventing information disclosure. The primary impact is limited to denial of service through process crash when the read crosses into unmapped memory pages. This vulnerability shares characteristics with CVE-2026-44518, which involved a similar issue in the same codebase. ## Affected Products - **Product**: liboqs (Open Quantum Safe library) - **Affected Versions**: Prior to 0.16.0 - **Component**: XMSS and XMSS^MT stateful signature verification ## Risk Assessment | Attribute | Value | |-----------|-------| | CVSS 3.1 Score | 5.3 | | Severity | MEDIUM | | Attack Vector | Network | | Attack Complexity | Low | | Privileges Required | None | | User Interaction | None | | Scope | Unchanged | | Confidentiality Impact | None | | Integrity Impact | None | | Availability Impact | Low | The vulnerability is exploitable remotely without authentication, making it attractive for denial-of-service attacks against services performing XMSS/XMSS^MT signature verification. However, the lack of information disclosure or code execution potential limits the overall risk

Vendor: open-quantum-safe
Product: liboqs
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations using liboqs for post-quantum cryptographic operations, particularly those implementing XMSS or XMSS^MT stateful signatures in production services. Developers maintaining cryptographic libraries or applications performing signature verification. Security teams monitoring for denial-of-service vectors in cryptographic infrastructure.

Technical summary

Out-of-bounds read in liboqs XMSS/XMSS^MT signature verification when public key OID references larger parameter set than signature buffer allows. Fixed in 0.16.0.

Defensive priority

medium

Recommended defensive actions

Upgrade liboqs to version 0.16.0 or later to remediate this vulnerability
Review applications using liboqs for XMSS/XMSS^MT signature verification and assess exposure
Implement input validation to ensure public key OIDs match expected parameter sets before verification
Monitor for process crashes in signature verification services as potential indicators of exploitation attempts
Consider sandboxing or memory protection mechanisms for cryptographic operations to limit impact of memory safety issues

Evidence notes

Vulnerability description and technical details sourced from official CVE record and NVD entry. Fix commit and security advisory referenced from GitHub security advisories. CVSS vector and scoring from NVD. Timeline dates derived from CVE published and modified timestamps.

Official resources

2026-05-29