CVE-2026-4115 Overview
A cryptographic signature verification vulnerability has been identified in PuTTY 0.83, specifically affecting the eddsa_verify function within the crypto/ecc-ssh.c file of the Ed25519 Signature Handler component. This vulnerability allows for improper verification of cryptographic signatures, potentially enabling attackers to manipulate signature verification processes. The attack can be performed remotely via the network, though exploitation requires a high level of complexity and is considered difficult.
Critical Impact
Improper verification of Ed25519 cryptographic signatures could allow signature malleability attacks, potentially undermining the integrity of authenticated SSH connections, though real-world impact remains unproven at this time.
Affected Products
- PuTTY 0.83
- Systems using PuTTY's Ed25519 signature verification
- Applications integrating PuTTY's crypto/ecc-ssh.c library
Discovery Timeline
- 2026-03-22 - CVE CVE-2026-4115 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-4115
Vulnerability Analysis
This vulnerability relates to improper verification of Ed25519 cryptographic signatures (CWE-345: Insufficient Verification of Data Authenticity). The flaw exists in the eddsa_verify function within crypto/ecc-ssh.c, where the signature verification logic fails to properly validate certain signature components according to the Ed25519 specification outlined in RFC 8032 Section 8.4.
The vulnerability specifically involves signature malleability, where an attacker could potentially create alternative valid signatures for the same message. While the attack requires network access and involves high complexity, a proof-of-concept has been made publicly available demonstrating the theoretical issue. However, at this time, there is no proof that this flaw has any real-world impact on PuTTY users.
Root Cause
The root cause lies in the Ed25519 signature verification implementation within crypto/ecc-ssh.c. The eddsa_verify function does not properly check for overlarge S values in Ed25519 signatures as specified in RFC 8032. This allows signatures with S values greater than or equal to the group order L to be accepted as valid, creating signature malleability where multiple distinct signatures can verify for the same message-key pair.
Attack Vector
The attack can be performed remotely over the network against systems running vulnerable versions of PuTTY. An attacker would need to:
- Intercept or observe a valid Ed25519 signature
- Manipulate the S component of the signature by adding the group order L
- Present the modified signature to the verification function
- The modified signature would incorrectly verify as valid
While the exploitability is considered difficult due to the high attack complexity requirements, the theoretical attack vector demonstrates non-compliance with Ed25519 specification requirements. The GitHub PoC repository contains a proof-of-concept script demonstrating this signature malleability issue.
Detection Methods for CVE-2026-4115
Indicators of Compromise
- Unusual Ed25519 signature values observed in SSH connection logs where S component values exceed expected bounds
- Modified signatures appearing in authentication attempts that still pass verification
- Unexpected signature patterns in SSH protocol traffic analysis
Detection Strategies
- Monitor SSH connection logs for anomalous Ed25519 signature characteristics
- Implement signature value range checking in network intrusion detection systems
- Deploy endpoint detection to identify PuTTY version 0.83 installations requiring updates
- Review SSH authentication logs for potential signature manipulation attempts
Monitoring Recommendations
- Enable verbose logging for SSH authentication events on critical systems
- Configure network monitoring to inspect Ed25519 signature traffic for anomalies
- Establish baseline metrics for SSH authentication patterns to detect deviations
- Integrate vulnerability scanning to identify unpatched PuTTY installations across the environment
How to Mitigate CVE-2026-4115
Immediate Actions Required
- Update PuTTY to the latest patched version incorporating commit af996b5ec27ab79bae3882071b9d6acf16044549
- Audit systems for installations of PuTTY 0.83 and schedule immediate patching
- Review SSH key authentication logs for any suspicious activity during the exposure window
- Consider temporarily using alternative SSH clients on high-security systems if immediate patching is not possible
Patch Information
The PuTTY maintainers have released a security patch identified by commit hash af996b5ec27ab79bae3882071b9d6acf16044549. This patch corrects the Ed25519 signature verification to properly reject signatures with overlarge S values as specified in RFC 8032. The vendor responded professionally and released the fix promptly after being notified. Technical details of the patch are available in the Tartarus Git commit diff.
Additional information about this issue and the fix is documented in the Chiark wishlist entry.
Workarounds
- Restrict network access to systems running vulnerable PuTTY versions until patches can be applied
- Implement additional authentication factors beyond SSH key-based authentication for sensitive systems
- Use network segmentation to limit exposure of systems running unpatched PuTTY installations
- Monitor for exploitation attempts using the published proof-of-concept indicators
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
