Description
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.
Published: 2026-02-19
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Incorrect cryptographic output leading to potential protocol failures
Action: Update Library
AI Analysis

Impact

The MultiScalarMult function in the Go library outputs an incorrect point when the receiver is not the identity point. The erroneous result may propagate through cryptographic protocols, causing authentication failures or invalid signatures. This flaw resides in the mathematical core of the library and can invalidate any primitive built upon it. The impact is limited to applications that invoke this rarely used, advanced API.

Affected Systems

The vendor FiloSottile provides the library filippo.io/edwards25519. Versions 1.1.0 and earlier are affected. The bug does not affect code that depends on the library indirectly through other packages that never call MultiScalarMult, such as applications that use go-sql-driver/mysql.

Risk and Exploitability

The CVSS score of 1.7 and EPSS of less than 1% indicate a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local code execution via applications that directly invoke MultiScalarMult on a non‑identity receiver. No remote exploitation path is known. Given the low severity and limited exposure, the risk to most users is minimal, but patching remains recommended.

Generated by OpenCVE AI on April 17, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to v1.1.1 or later, which contains the fix for the MultiScalarMult issue.
  • Refactor any code that uses MultiScalarMult to ensure the receiver is the identity point or avoid the method if the library version is older.
  • Perform a code review or static analysis of cryptographic modules to confirm that no undefined behavior can occur when using the elliptic curve library.

Generated by OpenCVE AI on April 17, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fw7p-63qq-7hpr filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity
History

Sat, 21 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Filosottile
Filosottile filippo.io/edwards25519
Vendors & Products Filosottile
Filosottile filippo.io/edwards25519

Thu, 19 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.
Title filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity
Weaknesses CWE-665
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Filosottile Filippo.io/edwards25519
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:39:04.748Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26958

cve-icon Vulnrichment

Updated: 2026-02-20T15:27:10.701Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T23:16:26.577

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26958

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-19T23:01:26Z

Links: CVE-2026-26958 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses