VYPR
← All advisories
Critical severity9.8NVD Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-41509

CVE-2026-41509

Description

CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer overflow in crypto_sign_open() caused by an underflow of the integer mlen. This issue has been patched via commit fc6b7e7.

Affected products

1

Patches

1
fc6b7e78cdf7

add a check on the minimum smlen

https://github.com/CROSS-signature/CROSS-implementationrtjkMar 23, 2026via nvd-ref
commit
1 file changed · +4 0
  • Reference_Implementation/lib/sign.c+4 0 modified
    @@ -80,6 +80,10 @@ int crypto_sign_open(unsigned char *m,                          // out parameter
                      const unsigned char *pk)                   // in parameter
 {
 
+   if (smlen < (size_t) sizeof(CROSS_sig_t)) {
+      return -1;
+   }
+
    /* verify returns 1 if signature is ok, 0 otherwise */
    *mlen = smlen-(unsigned long long) sizeof(CROSS_sig_t);

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.