data/reports/GO-2026-4503.yaml - vulndb - Git at Google

 id: GO-2026-4503
 modules:
     - module: filippo.io/edwards25519
       versions:
         - fixed: 1.1.1
       vulnerable_at: 1.1.0
       packages:
         - package: filippo.io/edwards25519
           symbols:
             - Point.MultiScalarMult
 summary: Invalid result or undefined behavior in filippo.io/edwards25519
 description: |-
     Previously, if MultiScalarMult was invoked on an
     initialized point who was not the identity point, MultiScalarMult
     produced an incorrect result. If called on an
     uninitialized point, MultiScalarMult exhibited undefined behavior.
 cves:
     - CVE-2026-26958
 credits:
     - shaharcohen1
     - WeebDataHoarder
 references:
     - advisory: https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
     - fix: https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb
 source:
     id: go-security-team
     created: 2026-02-17T14:45:04.271552-05:00
 review_status: REVIEWED
	id: GO-2026-4503
	modules:
	- module: filippo.io/edwards25519
	versions:
	- fixed: 1.1.1
	vulnerable_at: 1.1.0
	packages:
	- package: filippo.io/edwards25519
	symbols:
	- Point.MultiScalarMult
	summary: Invalid result or undefined behavior in filippo.io/edwards25519
	description: \|-
	Previously, if MultiScalarMult was invoked on an
	initialized point who was not the identity point, MultiScalarMult
	produced an incorrect result. If called on an
	uninitialized point, MultiScalarMult exhibited undefined behavior.
	cves:
	- CVE-2026-26958
	credits:
	- shaharcohen1
	- WeebDataHoarder
	references:
	- advisory: https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
	- fix: https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb
	source:
	id: go-security-team
	created: 2026-02-17T14:45:04.271552-05:00
	review_status: REVIEWED