Bug 2427278 (CVE-2025-15444) - CVE-2025-15444 libsodium: libsodium: Cryptographic bypass via improper elliptic curve point validation
Summary: CVE-2025-15444 libsodium: libsodium: Cryptographic bypass via improper ellipt...
Keywords:
Status: NEW
Alias: CVE-2025-15444
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2427350 2427353 2427346 2427347 2427348 2427349 2427351 2427352 2427354
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-06 01:01 UTC by OSIDB Bzimport
Modified: 2026-01-06 07:44 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-06 01:01:47 UTC 
Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium

libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277  https://www.cve.org/CVERecord?id=CVE-2025-69277 .

The libsodium vulnerability states:

In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.
Note You need to log in before you can comment on or make changes to this bug.