wolfSSL's ML-DSA-44 signing function (dilithium_sign_with_seed_mu() in dilithium.c) frees a ~50KB heap block containing private signing material (s1, s2, t0 in NTT form) without clearing it. For a same-process attacker able to allocate and read a same-size heap block, the key material is recoverable. On glibc tcache, the PoC recovers s1 from the freed block and forges signatures on arbitrary messages -- verified against the compiled libwolfssl binary on three Linux distributions and macOS. wolfSSL already fixed this exact pattern -- missing ForceZero before free of private key material -- in dilithium keygen (643427040), ed25519 signing (5f7bc0f3a), and ed448 signing (109e765b5). The ML-DSA signing path was missed. FIPS 204 Section 3.6.3 requires implementations 'shall ensure that any potentially sensitive intermediate data is destroyed as soon as it is no longer needed.'
| Vendor | Product | Versions |
|---|---|---|
| wolfssl | wolfssl ml-dsa | v5.7.2 - v5.9.0-stable |
Updated description with detailed technical information, added patch information, marked the vulnerability as actively exploited, and included a URL for the proof of concept.
Initial creation
