CVE-2026-26958

LOW EPSS 28.4%
Published Feb 19, 20264mo ago · Modified Apr 15, 20262mo ago
1.7 CVSS 4.0
Low
Find Similar
Published Feb 19, 2026 4mo ago
Last Modified Apr 15, 2026 2mo ago

Description

filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.

CVSS Details

Base Score
1.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
28.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-665

References 3

  • github.com https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb
  • github.com https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1
  • github.com https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.