| Title | GitHub tinyssh 20250501 Cryptographic Issues |
|---|
| Description | A signature malleability vulnerability was identified in tinyssh (up to the latest version at the time of reporting) due to an incomplete implementation of the Ed25519 verification logic. The software fails to strictly validate the range of the scalar S during signature verification, as mandated by RFC 8032. Specifically, the implementation does not check whether S is within the canonical range [0, L), where L is the order of the base point. An attacker can craft a non-canonical signature by adding multiples of L to the scalar S, which will still be accepted as valid by the affected versions of tinyssh. While this does not directly lead to private key recovery, it allows for signature malleability, which can be exploited in protocols relying on signature uniqueness or to bypass certain security checks in downstream applications. |
|---|
| Source | ⚠️ https://github.com/janmojzis/tinyssh/issues/101 |
|---|
| User | pythok (UID 95793) |
|---|
| Submission | 03/07/2026 13:12 (1 month ago) |
|---|
| Moderation | 03/21/2026 16:10 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352358 [janmojzis tinyssh up to 20250501 Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification] |
|---|
| Points | 20 |
|---|