Design Flaw in liboqs Affecting Post-Quantum Cryptography Algorithm
CVE-2025-48946

3.7LOW

Key Information:

Vendor

Open-quantum-safe

Status
Liboqs
Vendor
CVE Published:
30 May 2025

What is CVE-2025-48946?

The liboqs cryptographic library contains a design flaw within its implementation of the HQC algorithm, leading to large numbers of malformed ciphertexts that can share the same implicit rejection value. Although no concrete attacks on this flaw are known, it presents potential risks for implementations involving key derivation. Users are advised that HQC does not offer the same security assurances as alternative algorithms like Kyber or ML-KEM. From version 0.13.0 onwards, HQC is disabled by default in liboqs until an updated algorithm specification is provided by the HQC team.

Affected Version(s)

liboqs < 0.13.0

References

https://github.com/open-quantum-safe/liboqs/security/advi...
x_refsource_CONFIRM
https://github.com/open-quantum-safe/liboqs/commit/a7d698...
x_refsource_MISC
https://durumcrustulum.com/2024/02/24/how-to-hold-kems/#hqc
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-48946 : Design Flaw in liboqs Affecting Post-Quantum Cryptography Algorithm