MEDIUM 5.3

CVE-2026-44518: Out-of-Bounds Read in liboqs XMSS Signature Verification

liboqs, an open-source cryptographic library implementing post-quantum algorithms, contains an out-of-bounds read flaw in its XMSS and XMSS^MT signature verification routines. When a verification function receives a signature buffer shorter than expected, the code reads beyond the buffer boundary without length validation. While the out-of-bounds bytes are only used internally for hashing and cannot leak sensitive data, the read can crash the verifying process if it accesses unmapped memory, creating a denial-of-service risk. The issue is resolved in version 0.16.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-125, CWE-20
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a signature buffer shorter than the expected signature size for the given parameter set, the implementation does not validate the caller-supplied length and proceeds to read past the end of the buffer. The out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-44518 involves an out-of-bounds read in the XMSS and XMSS^MT verification code paths within liboqs prior to 0.16.0. The vulnerability stems from insufficient input validation (CWE-20) of caller-supplied signature buffer lengths. When a signature buffer shorter than the parameter set's expected size is passed to the verification function, the implementation proceeds to read past the buffer boundary (CWE-125). The out-of-bounds bytes are consumed only as input to an internal hash computation, limiting information disclosure exposure. However, if the read crosses into an unmapped memory region, the process will segfault, resulting in denial of service. The vulnerability carries a CVSS 3.1 score of 5.3 (Medium severity, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), reflecting the availability impact with no confidentiality or integrity components.

Business impact

Organizations deploying liboqs in signature verification workflows face availability risk. Any service that verifies XMSS or XMSS^MT signatures using affected versions may crash if malformed or truncated signatures are processed. In post-quantum migration strategies where XMSS is being adopted for long-term signature verification, this could disrupt critical authentication or non-repudiation processes. The impact is primarily denial of service rather than cryptographic compromise; however, availability disruptions to signature verification in security-sensitive applications warrant prompt remediation.

Affected systems

The vulnerability affects liboqs versions prior to 0.16.0. The Open Quantum Safe project maintains liboqs as a broadly available C library for post-quantum cryptography. Any deployment using liboqs for XMSS or XMSS^MT signature verification—whether embedded in applications, integrated into cryptographic toolkits, or used in standalone testing environments—is potentially affected. Organizations using liboqs in non-verification contexts (e.g., key generation only) have reduced exposure.

Exploitability

Exploitation requires the ability to supply a malformed signature (specifically, one shorter than the expected size for a given XMSS parameter set) to a verification function. Attack surface depends on deployment: services accepting external signatures over a network have higher exploitability than closed environments. No authentication or user interaction is needed, and the attack is straightforward—triggering a crash by providing truncated input. However, the vulnerability does not permit code execution, cryptographic oracle attacks, or data exfiltration. CVSS reflects low complexity and network accessibility, but the absence of an information leak and high barrier to practical exploitation limit real-world risk.

Remediation

Upgrade liboqs to version 0.16.0 or later. This version includes length validation fixes that prevent out-of-bounds reads by verifying that caller-supplied buffers meet the required size before processing. Verify that your deployment environment and any dependent applications are compatible with the patched version. For organizations in early post-quantum migration phases, confirm that XMSS integration tests pass with the updated library.

Patch guidance

Apply the liboqs 0.16.0 update to all systems running the library. Test the upgrade in a staging environment to validate integration with dependent applications and any custom verification workflows. The update is recommended for all users but carries particularly high priority for services accepting external XMSS signatures. Verify against the Open Quantum Safe project's official release notes and advisories to confirm compatibility with your specific deployment.

Detection guidance

Monitor for segmentation faults or crashes in processes performing XMSS or XMSS^MT signature verification, especially following receipt of untrusted signature data. Audit logs for repeated verification failures or malformed signature handling may indicate exploitation attempts. Long-term, ensure your SBOM includes liboqs with a documented version, enabling rapid identification of deployed instances during vulnerability discovery. Static analysis or dependency scanning tools can help identify liboqs presence in codebases.

Why prioritize this

While the CVSS score is medium (5.3), the actual risk is modest for most deployments. No credential compromise, data theft, or cryptographic weakness is possible; the sole concern is availability. Prioritization should reflect your organization's reliance on XMSS signature verification: if XMSS is not yet widely deployed as part of your post-quantum roadmap, this is a routine patch. If XMSS verification is integral to authentication or compliance workflows, prioritize the update to prevent denial-of-service scenarios. The fix is straightforward and carries minimal regression risk.

Risk score, explained

The CVSS 3.1 score of 5.3 (Medium) is driven by the availability impact (A:L) and network accessibility (AV:N). Confidentiality and integrity scores are zero because the out-of-bounds read leaks no data and does not modify signatures or keys. The low attack complexity (AC:L) reflects the simplicity of triggering a crash with a truncated signature. However, the practical risk is tempered by the requirement for external signature input and the absence of code execution or privilege escalation potential. Organizations should treat this as a medium-priority availability fix rather than a critical security emergency.

Frequently asked questions

Could an attacker use this vulnerability to extract cryptographic keys or bypass signature verification?

No. The out-of-bounds read only affects input to an internal hash computation; the bytes are not returned to the caller and cannot be used to leak keys or secrets. The vulnerability does not compromise the cryptographic algorithm or permit signature forgery—it only risks crashing the verifier.

Do we need to update if we're not using XMSS or XMSS^MT, only other post-quantum algorithms in liboqs?

No. The vulnerability is specific to the XMSS and XMSS^MT verification code paths. If your deployment uses only other algorithms provided by liboqs (such as ML-KEM or ML-DSA), you are not affected. However, we recommend checking your dependency tree to confirm which algorithms are in use.

Is there an active exploit or is this a theoretical vulnerability?

This appears to be a theoretical vulnerability discovered through code analysis rather than active exploitation. No public exploit or proof-of-concept is known. However, the crash condition is straightforward to trigger with a truncated signature, so the barrier to causing a denial of service is low.

What should we do if we cannot immediately patch?

Implement input validation in your application layer to ensure that signatures meet the expected size for your XMSS parameter set before passing them to liboqs verification functions. This defense-in-depth measure mitigates the crash risk while you plan and test the upgrade to 0.16.0.

This analysis is based on publicly available vulnerability data current as of the published and modified dates shown. Patch version numbers and compatibility details should be verified against the Open Quantum Safe project's official advisory and release notes. Organizations should validate any remediation steps in their specific environment before production deployment. SEC.co does not warrant the completeness or accuracy of derived insights and recommends consultation with your vendor and security team for deployment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).