Bug 2441221 (CVE-2026-26958)

Summary: CVE-2026-26958 filippo.io/edwards25519: filippo.io/edwards25519: Cryptographic integrity bypass due to incorrect MultiScalarMult results
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aazores, abuckta, adudiak, akostadi, akoudelk, alcohan, amasferr, anjoseph, aprice, bdettelb, caswilli, cmah, crizzo, dhanak, dkuc, dmayorov, doconnor, drosa, dsimansk, eaguilar, ebaron, gparvin, gtanzill, jbalunas, jbuscemi, jdobes, jkoehler, jlledo, jmitchel, jolong, jprabhak, jsamir, jsherril, jvasik, kaycoth, kgaikwad, kingland, kshier, kverlaen, lball, lbragsta, lphiri, mnovotny, mstipich, ngough, oezr, orabin, pahickey, pantinor, pbohmill, pjindal, rblanco, rexwhite, rhaigner, rochandr, sausingh, stcannon, sthirugn, teagle, tsedmik, veshanka, vmugicag, wenshen, wtam, xiyuan, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in filippo.io/edwards25519, a Go library used for cryptographic operations. This vulnerability occurs in the MultiScalarMult function when it processes points that are not properly initialized or are not the identity point. Such conditions can lead to incorrect cryptographic results, potentially allowing an attacker to bypass security checks or compromise data integrity. This issue impacts the reliability of cryptographic primitives within applications utilizing the library.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-20 00:02:26 UTC 
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.