| Название | PuTTY Project (Simon Tatham) PuTTY 0.83 Improper Verification of Cryptographic Signature |
|---|
| Описание | PuTTY's Ed25519 verification logic in crypto/ecc-ssh.c (eddsa_verify) does not enforce strict canonical-scalar validation (S < L). Because of this, a valid signature (R, S) can be malleated into (R, S+L) and still pass verification.
Using the provided PoC with PuTTY testcrypt (ssh_key_verify), both signatures verify successfully:
putty verify(orig) = True
putty verify(S+L) = True
This demonstrates Ed25519 signature malleability acceptance (non-canonical signature accepted). Historically, similar signature malleability vulnerabilities have been discovered and assigned CVEs in other projects, including CVE-2026-3706, CVE-2020-36843, and CVE-2024-45193. |
|---|
| Источник | ⚠️ https://github.com/py-thok/putty-ed25519-malleability-s-plus-l |
|---|
| Пользователь | pythok (UID 95793) |
|---|
| Представление | 09.03.2026 07:40 (2 месяцы назад) |
|---|
| Модерация | 22.03.2026 12:48 (13 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 352429 [PuTTY 0.83 Ed25519 Signature crypto/ecc-ssh.c eddsa_verify слабая аутентификация] |
|---|
| Баллы | 20 |
|---|