CVE-2018-16253
- Source
- https://cve.org/CVERecord?id=CVE-2018-16253
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16253.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-16253
- Published
- 2018-11-07T20:29:00.667Z
- Modified
- 2026-04-11T12:27:49.872989Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification does not properly verify the ASN.1 metadata. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation through fake X.509 certificates. This is an even more permissive variant of CVE-2006-4790 and CVE-2014-1568.
- References
Affected packages
Git / github.com/igrr/axtls-8266
Affected ranges
- Type
- GIT
- Repo
- https://github.com/igrr/axtls-8266
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/igrr/axtls-8266
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "fake"
}
]
}
]
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2018-16253-3090bf7e",
"digest": {
"line_hashes": [
"108661851987972133158347054716703460683",
"14896255174603763604770523751983435879",
"120240012124074572250753975559093603406",
"45010925886924942386907557492617314856",
"115305286616551607897244325241390183963",
"9084237671732349361622604103010111563",
"185845852160614897619048903410496139504",
"208322761451658317154631074413909015154",
"185082032209968563001193921342815963010",
"186270198572434066780252391661755022115",
"50486728262798664783477895502371598539",
"238538377523240267513329349303468711107",
"244601293052885541233433686491443506785",
"57107941115571653783496538010191647563",
"218390482235484409823204904791605352948",
"278618590998667647087943783369648520885",
"166932922021684597834217713555700614848",
"195146750242824880305351287025864433794",
"22185783351391265490991248551830443790",
"84577917608870377487401127617600840478",
"181807139630374287586913659774436982587",
"57536454303877057962146740463074587417",
"233082035197181483690985219850815497923",
"258752981139989151020579234742060642985",
"117578550962584056793915946910351421511",
"61491189147592498635277465718922381231",
"108836589434530459216980942412049144973",
"335081944872175553627843886622382730268",
"95625288284106286882967882031022885083",
"49585425216726811453278729953818840069",
"237978599236179955971782873432814558865",
"339536106570935589585141430302204605375",
"294128945153324378199602375625233392002",
"202780183330052102017085865184175332675",
"235316235711897240953832705127279614660",
"19322163383816135294590054626317666890",
"149134396912841586962585068550949712513",
"154871753701657350703814844030645535224",
"138740526242742065281847547013745442303",
"236008771591026412195639438620995675865",
"303492404983386076464265066061129154306",
"93317831494390685477701447882423156453",
"165379616122019241837551638587367351881",
"165877849408296707887289760177956569788",
"260572460417766524035127727657875885064",
"15599565959541491860649101577670499488",
"285410099532478080544838165762270161618"
],
"threshold": 0.9
},
"source": "https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c",
"signature_type": "Line",
"target": {
"file": "ssl/x509.c"
}
},
{
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2018-16253-94fc8e4b",
"digest": {
"length": 389.0,
"function_hash": "74073868604478741200156603912144804076"
},
"source": "https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c",
"signature_type": "Function",
"target": {
"file": "ssl/x509.c",
"function": "get_signature"
}
},
{
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2018-16253-c256e85e",
"digest": {
"line_hashes": [
"253007544034811596310265824059848257290",
"268133784929346848139382881450918463779",
"65170034753240938602689110438809907804",
"4989148451732204170605134390826381115"
],
"threshold": 0.9
},
"source": "https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c",
"signature_type": "Line",
"target": {
"file": "ssl/os_port.h"
}
},
{
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2018-16253-d6e58869",
"digest": {
"length": 702.0,
"function_hash": "232285230700911005501498625380349597162"
},
"source": "https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c",
"signature_type": "Function",
"target": {
"file": "ssl/x509.c",
"function": "sig_verify"
}
},
{
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2018-16253-ec948ef3",
"digest": {
"length": 2514.0,
"function_hash": "47102076113973104952396175716829351788"
},
"source": "https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c",
"signature_type": "Function",
"target": {
"file": "ssl/x509.c",
"function": "x509_verify"
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16253.json"
vanir_signatures_modified
"2026-04-11T12:27:49Z"