Description
A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended.
Published: 2026-03-22
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Improper cryptographic signature verification
Action: Patch Now
AI Analysis

Impact

An error in the Ed25519 signature verification routine of tinyssh leads to improper verification of cryptographic signatures. Based on the description, it is inferred that this flaw could allow a local attacker to forge signatures and potentially bypass authentication or authorization checks that depend on these signatures. Based on the description, it is inferred that the flaw is a result of limited input validation and is identified as CWE-345 and CWE-347. The impact is restricted to the local environment and does not expose the system to remote attackers. The vulnerability exists in an unknown function within the crypto_sign_ed25519_tinyssh.c component of TinySSH releases up to 20250501. Attackers must manipulate input locally; the attack has a high complexity rating and is considered difficult to exploit, yet an exploit has been published and may be used by local users.

Affected Systems

The vulnerability exists in janmojzis tinyssh versions up to 20250501, specifically in the crypto_sign_ed25519_tinyssh.c component. Upgrading to release 20260301 resolves the issue, as the patch commit 9c87269607e0d7d20174df742accc49c042cff17 has been applied to this version.

Risk and Exploitability

The CVSS score is 2, indicating low severity. The empirical probability of exploitation is low, with an EPSS score of < 1%, and the vulnerability is not listed in the CISA KEV catalog. It requires local execution and is considered difficult to exploit, although an exploit has been published. Risk is therefore limited to local privilege holders, but the flaw can still allow credential replay or unauthorized actions within the local host.

Generated by OpenCVE AI on April 18, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to tinyssh version 20260301 or later.
  • Restrict local users from executing the vulnerable tinyssh binary until the patch is applied.
  • Monitor local authentication logs for unexpected or repeated signature verification failures that could indicate abuse.

Generated by OpenCVE AI on April 18, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended. If you want to get best quality of vulnerability data, you may have to visit VulDB. A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended.
References

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Janmojzis
Janmojzis tinyssh
Vendors & Products Janmojzis
Janmojzis tinyssh

Sun, 22 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Title janmojzis tinyssh Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification
Weaknesses CWE-345
CWE-347
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Janmojzis Tinyssh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-18T03:39:33.191Z

Reserved: 2026-03-21T15:10:27.592Z

Link: CVE-2026-4541

cve-icon Vulnrichment

Updated: 2026-03-23T15:33:46.444Z

cve-icon NVD

Status : Deferred

Published: 2026-03-22T09:15:59.683

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses