## Summary CVE-2026-46344 is a medium-severity out-of-bounds read vulnerability in the Open Quantum Safe liboqs cryptographic library, affecting versions prior to 0.16.0. The flaw exists in the XMSS and XMSS^MT stateful signature verification code, where a mismatch between the signature buffer size and the public key's OID-derived parameter set can cause the verification function to read beyond the alloca [truncated]
liboqs prior to 0.16.0 contains an out-of-bounds read in XMSS and XMSS^MT stateful signature verification. When a signature buffer shorter than expected is supplied, the code reads past buffer bounds without validation. The excess bytes feed only into internal hash computation and are not returned to callers, preventing information leakage. The sole exploitable effect is potential process crash (denial of [truncated]
