CVE-2024-31510 Affecting liboqs package, versions *

Q: How to fix?

There is no fixed version for Debian:unstable liboqs .

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-DEBIANUNSTABLE-LIBOQS-7148501
published28 May 2024
disclosed24 May 2024

Report a new vulnerability Found a mistake?

Introduced: 24 May 2024

CVE-2024-31510 (opens in a new tab)

How to fix?

There is no fixed version for Debian:unstable liboqs.

NVD Description

Note: Versions mentioned in the description apply only to the upstream liboqs package and not the liboqs package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker to escalate privileges via the crypto_sign_signature parameter in the /pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c component.

References

https://security-tracker.debian.org/tracker/CVE-2024-31510
https://gist.github.com/liang-junkai/a9fc693f8bdf176e9d9f56773bf20703
https://github.com/liang-junkai/Fault-injection-of-ML-DSA
https://github.com/open-quantum-safe/liboqs