Bug 2440580 (CVE-2026-2681)

Summary: CVE-2026-2681 github.com/supranational/blst: blst cryptographic library: Denial of Service via out-of-bounds stack write in key generation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the blst cryptographic library. This out-of-bounds stack write vulnerability, specifically in the blst_sha256_bcopy assembly routine, occurs due to a missing zero-length guard. A remote attacker can exploit this by providing a zero-length salt parameter to key generation functions, such as blst_keygen_v5(), if the application exposes this functionality. Successful exploitation leads to memory corruption and immediate process termination, resulting in a denial-of-service (DoS) condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2440582    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-18 12:24:22 UTC 
Out-of-Bounds Stack Write vulnerability in the blst_sha256_bcopy assembly routine of the blst cryptographic library. The flaw is caused by a missing zero-length guard in the copy loop implementation. When blst_keygen_v5() (or related key generation functions) is called with a valid non-NULL salt pointer and salt_len equal to zero, the length counter underflows, causing the loop to execute and write beyond intended stack boundaries. This results in memory corruption and immediate process termination. This issue can be triggered without authentication or user interaction if an application exposes key generation with attacker-controlled salt parameters, leading to a denial-of-service condition.