| Titel | PuTTY Project (Simon Tatham) PuTTY 0.83 Improper Verification of Cryptographic Signature |
|---|
| Beschreibung | PuTTY's Ed25519 verification logic in crypto/ecc-ssh.c (eddsa_verify) does not enforce strict canonical-scalar validation (S < L). Because of this, a valid signature (R, S) can be malleated into (R, S+L) and still pass verification.
Using the provided PoC with PuTTY testcrypt (ssh_key_verify), both signatures verify successfully:
putty verify(orig) = True
putty verify(S+L) = True
This demonstrates Ed25519 signature malleability acceptance (non-canonical signature accepted). Historically, similar signature malleability vulnerabilities have been discovered and assigned CVEs in other projects, including CVE-2026-3706, CVE-2020-36843, and CVE-2024-45193. |
|---|
| Quelle | ⚠️ https://github.com/py-thok/putty-ed25519-malleability-s-plus-l |
|---|
| Benutzer | pythok (UID 95793) |
|---|
| Einreichung | 09.03.2026 07:40 (vor 2 Monaten) |
|---|
| Moderieren | 22.03.2026 12:48 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 352429 [PuTTY 0.83 Ed25519 Signature crypto/ecc-ssh.c eddsa_verify schwache Authentisierung] |
|---|
| Punkte | 20 |
|---|