Bug 2428154 (CVE-2025-14505)

Summary: CVE-2025-14505 elliptic: Key handling flaws in Elliptic
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akostadi, amasferr, bdettelb, caswilli, chfoley, dhanak, dmayorov, doconnor, drosa, eric.wittmann, gmalinko, ibek, janstey, jcantril, jkoehler, jlledo, jrokos, jscholz, kaycoth, kverlaen, lchilton, lphiri, mnovotny, nipatil, pantinor, pdelbell, pjindal, rgodfrey, rhel-process-autobot, rkubis, rojacob, rstepani, sausingh, sdawley, sfeifer, swoodman, teagle, tsedmik, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' has leading zeros and may potentially expose a secret key. A similar miscalculation can happen whenever the size of the message digest is longer than the size of the curve. As a result invalid signatures may be generated which validate when tested. If an attacker can arbitrarily construct input they may also be able to expose the secret signing key.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2428356, 2428359, 2428364, 2428372, 2428354, 2428355, 2428357, 2428358, 2428360, 2428361, 2428362, 2428363, 2428365, 2428366, 2428367, 2428368, 2428369, 2428370, 2428371    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-08 22:01:43 UTC
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of  RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.

This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).