CVE-2026-26958 Overview
CVE-2026-26958 is an improper initialization vulnerability in filippo.io/edwards25519, a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. The MultiScalarMult function produces invalid results or undefined behavior when the receiver is not the identity point, potentially affecting cryptographic operations that rely on this advanced API.
Critical Impact
The vulnerability can cause MultiScalarMult to return incorrect results when called on an initialized point that is not the identity point, or undefined behavior when called on an uninitialized point. If the receiver is the zero value, the function returns an invalid point that compares Equal to every other point, potentially compromising cryptographic integrity.
Affected Products
- filippo.io/edwards25519 versions 1.1.0 and earlier
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-26958 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26958
Vulnerability Analysis
This vulnerability is classified as CWE-665 (Improper Initialization). The (*Point).MultiScalarMult method fails to properly initialize the receiver point before performing scalar multiplication operations. When the receiver is not explicitly set to the identity point, the function operates on potentially uninitialized or invalid state data, leading to incorrect cryptographic calculations.
The vulnerability is notable because MultiScalarMult is described as a rarely used, advanced API within the library. Users who depend on filippo.io/edwards25519 only through indirect dependencies such as github.com/go-sql-driver/mysql are not affected by this issue.
Root Cause
The root cause is the lack of explicit initialization of the receiver variable v to the identity point before the lookup-and-add loop in the MultiScalarMult function. Without this initialization, the receiver retains whatever value it had prior to the method call, corrupting the subsequent scalar multiplication calculations.
Attack Vector
This vulnerability is exploitable over the network with high attack complexity and requires specific preconditions. An attacker would need to influence the state of the receiver point used in MultiScalarMult operations within a target application. Successful exploitation could lead to cryptographic operations producing invalid results, potentially enabling signature forgery or other cryptographic attacks depending on how the affected application uses the edwards25519 library.
// Security patch from commit d1c650afb95fad0742b98d95f2eb2cf031393abb
// The fix initializes the receiver to the identity point before operations
tmp1 := &projP1xP1{}
tmp2 := &projP2{}
// Lookup-and-add the appropriate multiple of each input point
+ v.Set(NewIdentityPoint())
for j := range tables {
tables[j].SelectInto(multiple, digits[j][63])
tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords
Source: GitHub Commit Update
Detection Methods for CVE-2026-26958
Indicators of Compromise
- Cryptographic signature verification failures or unexpected validation passes in applications using filippo.io/edwards25519
- Anomalous point comparison results where unrelated points are incorrectly evaluated as equal
- Application logs showing unexpected cryptographic operation outcomes
Detection Strategies
- Audit Go module dependencies using go list -m all | grep filippo.io/edwards25519 to identify vulnerable versions
- Review application code for direct usage of the MultiScalarMult method on Point receivers
- Implement cryptographic test vectors to validate expected behavior of edwards25519 operations
Monitoring Recommendations
- Monitor for cryptographic operation anomalies in applications using this library
- Track dependency versions in CI/CD pipelines to ensure patched versions are deployed
- Review security advisories from the library maintainer for related issues
How to Mitigate CVE-2026-26958
Immediate Actions Required
- Update filippo.io/edwards25519 to version 1.1.1 or later immediately
- Review code paths that use MultiScalarMult to ensure they are not affected by incorrect results from vulnerable versions
- Run cryptographic test suites to verify correct behavior after updating
Patch Information
The vulnerability has been fixed in version 1.1.1 of the filippo.io/edwards25519 library. The patch explicitly initializes the receiver to the identity point using v.Set(NewIdentityPoint()) before performing the scalar multiplication operations. Users can update by running go get filippo.io/[email protected] or updating their go.mod file. For detailed patch information, see the GitHub Security Advisory GHSA-fw7p-63qq-7hpr and the GitHub Release v1.1.1.
Workarounds
- Ensure the receiver point is explicitly set to the identity point before calling MultiScalarMult
- If upgrading is not immediately possible, avoid using MultiScalarMult on non-identity receiver points
- Consider using alternative scalar multiplication methods that do not exhibit this behavior
# Configuration example
# Update Go module to patched version
go get filippo.io/[email protected]
# Verify the update
go list -m filippo.io/edwards25519
# Expected output: filippo.io/edwards25519 v1.1.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
