Security Vulnerability Report
中文
CVE-2026-35199 CVSS 6.1 MEDIUM

CVE-2026-35199

Published: 2026-04-06 20:16:28
Last Modified: 2026-04-16 04:16:28
Source: [email protected]

Description

SymCrypt is the core cryptographic function library currently used by Windows. From 103.5.0 to before 103.11.0, The SymCryptXmssSign function passes a 64-bit leaf count value to a helper function that accepts a 32-bit parameter. For XMSS^MT parameter sets with total tree height >= 32 (which includes standard predefined parameters), this causes silent truncation to zero, resulting in a drastically undersized scratch buffer allocation followed by a heap buffer overflow during signature computation. Exploiting this issue would require an application using SymCrypt to perform an XMSS^MT signature using an attacker-controlled parameter set. It is uncommon for applications to allow the use of attacker-controlled parameter sets for signing, since signing is a private key operation, and private keys must be trusted by definition. Additionally, XMSS(^MT) signing should only be performed in a Hardware Security Module (HSM). XMSS(^MT) signing is provided in SymCrypt only for testing purposes. This is a general rule irrespective of this CVE; XMSS(^MT) and other stateful signature schemes are only cryptographically secure when it is guaranteed that the same state cannot be reused for two different signatures, which cannot be guaranteed by software alone. For this reason, XMSS(^MT) signing is also not FIPS approved when performed outside of an HSM. Fixed in version 103.11.0.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:microsoft:symcrypt:*:*:*:*:*:*:*:* - VULNERABLE
SymCrypt 103.5.0
SymCrypt 103.5.0 to 103.11.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdint.h> // Mock helper function that accepts a 32-bit parameter void HelperFunction(uint32_t leaf_count) { printf("Helper received (truncated): %u\n", leaf_count); // In the real vulnerability, this leads to a small buffer allocation } // Vulnerable function logic simulation void SymCryptXmssSign_Vulnerable(uint64_t leaf_count) { // The bug: passing 64-bit value directly to 32-bit parameter // If leaf_count >= 2^32 (e.g., height >= 32), it gets truncated. HelperFunction(leaf_count); } int main() { // Simulate a large leaf count for a tree height >= 32 // 2^32 is a common threshold for 32-bit truncation uint64_t large_count = 1ULL << 32; printf("Original 64-bit count: %llu\n", large_count); // Trigger the vulnerable logic SymCryptXmssSign_Vulnerable(large_count); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35199", "sourceIdentifier": "[email protected]", "published": "2026-04-06T20:16:27.543", "lastModified": "2026-04-16T04:16:28.213", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SymCrypt is the core cryptographic function library currently used by Windows. From 103.5.0 to before 103.11.0, The SymCryptXmssSign function passes a 64-bit leaf count value to a helper function that accepts a 32-bit parameter. For XMSS^MT parameter sets with total tree height >= 32 (which includes standard predefined parameters), this causes silent truncation to zero, resulting in a drastically undersized scratch buffer allocation followed by a heap buffer overflow during signature computation. Exploiting this issue would require an application using SymCrypt to perform an XMSS^MT signature using an attacker-controlled parameter set. It is uncommon for applications to allow the use of attacker-controlled parameter sets for signing, since signing is a private key operation, and private keys must be trusted by definition. Additionally, XMSS(^MT) signing should only be performed in a Hardware Security Module (HSM). XMSS(^MT) signing is provided in SymCrypt only for testing purposes. This is a general rule irrespective of this CVE; XMSS(^MT) and other stateful signature schemes are only cryptographically secure when it is guaranteed that the same state cannot be reused for two different signatures, which cannot be guaranteed by software alone. For this reason, XMSS(^MT) signing is also not FIPS approved when performed outside of an HSM. Fixed in version 103.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:symcrypt:*:*:*:*:*:*:*:*", "versionStartIncluding": "103.5.0", "versionEndExcluding": "103.11.0", "matchCriteriaId": "850E34D6-8319-4094-8DE2-E9DAE3CD7478"}]}]}], "references": [{"url": "https://github.com/microsoft/SymCrypt/security/advisories/GHSA-rvj8-8h6x-hjmg", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.