cvedb.io
CVE-2026-46344
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2026-05-29T19:16:25.350 · Last modified 2026-06-17T10:53:35.330

Summary

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a correctly-sized signature buffer for the declared algorithm but a public key whose OID bytes (pk[0..3]) reference a different XMSS parameter set with a larger sig_bytes, the implementation re-parses the OID from the public key inside xmss_sign_open / xmssmt_sign_open and uses the resulting (larger) sig_bytes to index the caller-supplied signature buffer. As with CVE-2026-44518, the out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle ex

Affected products

openquantumsafe — liboqs

Does this affect you?

Add your gear to cvedb and we'll alert you only when openquantumsafe ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.