GHSA-c6rr-7pmc-73wc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c6rr-7pmc-73wc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-c6rr-7pmc-73wc/GHSA-c6rr-7pmc-73wc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c6rr-7pmc-73wc
- Aliases
- Published
- 2026-02-25T18:26:58Z
- Modified
- 2026-02-28T06:26:33.113306Z
- Severity
-
- 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation
- Details
-
Impact
The
RSASHA256AlgorithmandRSASHA1Algorithmcontracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 (or 20) bytes of the decrypted signature match the expected hash. This enables Bleichenbacher's 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3). Two ENS-supported TLDs (.cc and .name) use e=3 for their Key Signing Keys, allowing any domain under these TLDs to be fraudulently claimed on ENS without DNS ownership.Affected contracts
Contract | Address | Status -- | -- | -- RSASHA256Algorithm | 0x9D1B5a639597f558bC37Cf81813724076c5C1e96 | Vulnerable RSASHA1Algorithm | 0x6ca8624Bc207F043D140125486De0f7E624e37A1 | Vulnerable DNSSECImpl | 0x0fc3152971714E5ed7723FAFa650F86A4BaF30C5 | Uses vulnerable algorithms DNSRegistrar | 0xB32cB5677a7C971689228EC835800432B339bA2B | Attack entry point
Patches
The bug was reported via Immunefi with possible solutions. The patch was merged at https://github.com/ensdomains/ens-contracts/commit/c76c5ad0dc9de1c966443bd946fafc6351f87587
Workarounds
- Deploy the patched contracts
- Point DNSSECImpl.setAlgorithm to the deployed contract
Resources
https://github.com/ensdomains/ens-contracts-bug-62248-pr-509
- Database specific
{ "nvd_published_at": "2026-02-25T16:23:25Z", "github_reviewed_at": "2026-02-25T18:26:58Z", "github_reviewed": true, "cwe_ids": [ "CWE-347" ], "severity": "LOW" }- References
-
- https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-c6rr-7pmc-73wc
- https://nvd.nist.gov/vuln/detail/CVE-2026-22866
- https://github.com/ensdomains/ens-contracts/commit/c76c5ad0dc9de1c966443bd946fafc6351f87587
- https://github.com/ensdomains/ens-contracts
- https://github.com/ensdomains/ens-contracts-bug-62248-pr-509
Affected packages
npm / @ensdomains/ens-contracts
Package
- Name
- @ensdomains/ens-contracts
- View open source insights on deps.dev
- Purl
- pkg:npm/%40ensdomains/ens-contracts