CVE-2026-22705

Quantum Solace: Timing Leaks in RustCrypto's ML-DSA

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 13, 2026·6 min read·2 visits

Executive Summary (TL;DR)

The Rust implementation of the Post-Quantum signature scheme ML-DSA (Dilithium) used standard CPU division instructions for secret-dependent data. Because CPU division speed varies based on input size, an attacker can statistically infer the private key by timing signature generation.

A timing side-channel vulnerability in the RustCrypto `ml-dsa` crate allows attackers to recover private keys by measuring execution time variations caused by non-constant-time integer division.

Official Patches

RustCryptoPull Request #1144: Fix constant-time issues

Fix Analysis (1)

Technical Appendix

CVSS Score
6.4/ 10
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Probability
0.02%
Top 95% most exploited

Affected Systems

RustCrypto: Signatures (ml-dsa crate)Systems using Dilithium/ML-DSA for PQC signatures

Affected Versions Detail

Product
Affected Versions
Fixed Version
ml-dsa
RustCrypto
< 0.1.0-rc.20.1.0-rc.2
AttributeDetail
CWE IDCWE-1240
CVSS v3.16.4 (Medium)
Attack VectorAdjacent Network
Bug ClassTiming Side-Channel
EPSS Score0.00021 (~4.7%)
Patch StatusReleased (0.1.0-rc.2)

MITRE ATT&CK Mapping

T1600Weak Encryption
Defense Evasion
T1040Network Sniffing
Credential Access
CWE-1240
Timing Discrepancy

Use of a Cryptographic Primitive with a Risky Implementation

Known Exploits & Detection

Hypothetical PoCLocal timing measurement script demonstrating variance in signing time.

Vulnerability Timeline

Fix Committed
2026-01-09
Advisory Published
2026-01-10
CVE Assigned
2026-01-12

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.