Liboqs Security Vulnerabilities and Issues — Liboqs CVE List

OpenquantumsafeLiboqs

7 matches found

CVE•added 2024/12/06 4:0 p.m.•79 views

CVE-2024-54137

CVE-2024-54137 affects liboqs HQC KEM. A correctness error in the HQC decapsulation path caused part of the secret key to be treated as non-secret, resulting in an incorrect shared secret when decapsulating malformed ciphertexts. The fix is implemented in liboqs 0.12.0, as referenced by multiple ...

7.5CVSS7.3AI score0.00386EPSS

CVE•added 2024/06/10 12:47 p.m.•77 views

CVE-2024-36405

CVE-2024-36405 affects the liboqs reference Kyber KEM implementation. A control-flow timing leak arises when the Kyber KEM is compiled with Clang 15–18 under certain options (including -Os and -O1), enabling a local attacker to measure decapsulation timings and recover the entire ML-KEM 512 secre...

7.5CVSS5.7AI score0.00515EPSS

CVE•added 2024/05/24 2:14 p.m.•66 views

CVE-2024-31510

CVE-2024-31510 affects Open Quantum Safe liboqs v10.0. It describes a remote privilege escalation via the crypto_sign_signature parameter in the pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c component. Connected sources corroborate the vulnerability in liboqs 10.0 and note the potential...

9.8CVSS7AI score0.00618EPSS

CVE•added 2025/05/30 7:21 p.m.•45 views

CVE-2025-48946

CVE-2025-48946 concerns the liboqs library (C), specifically the HQC algorithm implemented in versions prior to 0.13.0. The root cause is a theoretical design flaw in HQC that can lead to large numbers of malformed ciphertexts sharing the same implicit rejection value. The public descriptions sta...

3.7CVSS7.2AI score0.00201EPSS

CVE•added 2026/05/29 6:7 p.m.•26 views

CVE-2026-44518

liboqs (C library for post-quantum crypto) exposes a buffer overread in XMSS/XMSS^MT stateful signature verification prior to 0.16.0. If verify is called with a signature shorter than the parameter’s sig_bytes, length isn't validated and the code reads past the end of the signature buffer. The ex...

5.3CVSS5.8AI score0.00304EPSS

CVE•added 2025/07/10 6:42 p.m.•23 views

CVE-2025-52473

CVE-2025-52473 affects the liboqs HQC KEM reference implementation. When compiled with Clang at optimization levels above -O0, the code contains secret-dependent branches that enable a proof-of-concept local attack to recover the entire secret key. The vulnerability is fixed in version 0.14.0. Im...

5.9CVSS6.1AI score0.002EPSS

CVE•added 2026/05/29 6:8 p.m.•19 views

CVE-2026-46344

CVE-2026-46344 pertains to the liboqs C library (post-quantum cryptography). Before v0.16.0, there is a heap/out-of-bounds risk in XMSS/XMSS^MT stateful signature verification when a public key’s OID points to a larger parameter set than the declared algorithm, causing xmss_sign_open / xmssmt_sig...

5.3CVSS5.8AI score0.00304EPSS