2318778 – (CVE-2024-48948) CVE-2024-48948 elliptic: ECDSA signature verification error may reject legitimate transactions

Bug 2318778 (CVE-2024-48948) - CVE-2024-48948 elliptic: ECDSA signature verification error may reject legitimate transactions

Summary: CVE-2024-48948 elliptic: ECDSA signature verification error may reject legiti...

Keywords:
Status:	NEW
Alias:	CVE-2024-48948
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-15 14:01 UTC by OSIDB Bzimport
Modified:	2025-04-18 08:27 UTC (History)
CC List:	42 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-15 14:01:08 UTC

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Note You need to log in before you can comment on or make changes to this bug.

akostadi
alcohan
amasferr
anjoseph
bdettelb
cbartlet
cdaley
chazlett
dmayorov
doconnor
erack
gkamathe
gotiwari
gparvin
jcantril
jchui
jhorak
jlledo
jprabhak
jwendell
ktsao
lbainbri
lchilton
mjaros
mkudlej
mmakovy
mvyas
nboldt
njean
owatkins
pahickey
rcernich
rhaigner
rtaniwa
sdawley
sfeifer
teagle
tjochec
tkral
tpopela
twalsh
wtam