GHSA-fw7p-63qq-7hpr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fw7p-63qq-7hpr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-fw7p-63qq-7hpr/GHSA-fw7p-63qq-7hpr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fw7p-63qq-7hpr
- Aliases
- Downstream
- Related
- Published
- 2026-02-18T22:37:15Z
- Modified
- 2026-02-20T16:54:58.486597Z
- Severity
-
- 1.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity
- Details
-
(*Point).MultiScalarMultfailed to initialize its receiver.If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result.
If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver was the zero value, MultiScalarMult returned an invalid point that compared Equal to every point.
Note that MultiScalarMult is a rarely used advanced API. For example, if you only depend on
filippo.io/edwards25519viagithub.com/go-sql-driver/mysql, you are not affected. If you were notified of this issue despite not being affected, consider switching to a vulnerability scanner that is more precise and respectful of your attention, like govulncheck. - Database specific
{ "nvd_published_at": "2026-02-19T23:16:26Z", "severity": "LOW", "github_reviewed_at": "2026-02-18T22:37:15Z", "cwe_ids": [ "CWE-665" ], "github_reviewed": true }- References
-
- https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
- https://nvd.nist.gov/vuln/detail/CVE-2026-26958
- https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb
- https://github.com/FiloSottile/edwards25519
- https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1
Affected packages
Go / filippo.io/edwards25519
Package
- Name
- filippo.io/edwards25519
- View open source insights on deps.dev
- Purl
- pkg:golang/filippo.io/edwards25519