Heap Buffer Overflow Vulnerability in SymCrypt by Microsoft
CVE-2026-35199

6.1MEDIUM

Key Information:

Vendor: Microsoft
Status: Symcrypt
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35199?

A heap buffer overflow vulnerability exists in Microsoft SymCrypt versions 103.5.0 through 103.10.9. The issue arises when the SymCryptXmssSign function passes a 64-bit leaf count to a helper function that accepts a 32-bit value. This truncation results in a critical misallocation of memory, specifically a drastically undersized scratch buffer, during the XMSS^MT signature computation. Though exploiting this vulnerability is challenging, it requires an application that permits attacker-controlled parameters for signing—situations that are generally rare because signing operations are closely tied to trusted private key management. For optimal security, XMSS^MT signing must be conducted within a Hardware Security Module (HSM). The vulnerability has been addressed in SymCrypt version 103.11.0.

Affected Version(s)

SymCrypt >= 103.5.0, < 103.11.0

References

https://github.com/microsoft/SymCrypt/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35199 Data

JSON