Description
A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended.
Published: 2026-03-22
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Improper cryptographic signature verification
Action: Patch Now
AI Analysis

Impact

An error in the Ed25519 signature verification routine of tinyssh leads to improper verification of cryptographic signatures, enabling a local attacker to forge signatures and potentially bypass authentication or authorization checks that depend on these signatures. The flaw is a result of limited input validation and is identified as CWE-345 and CWE-347. The impact is restricted to the local environment and does not expose the system to remote attackers.

Affected Systems

The vulnerability exists in janmojzis tinyssh versions up to 20250501, specifically in the crypto_sign_ed25519_tinyssh.c component. Upgrading to release 20260301 resolves the issue, as the patch commit 9c87269607e0d7d20174df742accc49c042cff17 has been applied to this version.

Risk and Exploitability

The CVSS score is 2, indicating low severity. The empirical probability of exploitation is unknown and the vulnerability is not listed in the CISA KEV catalog. It requires local execution and is considered difficult to exploit, although an exploit has been published. Risk is therefore limited to local privilege holders, but the flaw can still allow credential replay or unauthorized actions within the local host.

Generated by OpenCVE AI on March 22, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to tinyssh version 20260301 or later.
  • Validate the update by checking the patch commit identifier 9c87269607e0d7d20174df742accc49c042cff17.
  • If an immediate upgrade is not possible, restrict local users from executing the vulnerable tinyssh binary until the patch is applied.

Generated by OpenCVE AI on March 22, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended. If you want to get best quality of vulnerability data, you may have to visit VulDB. A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended.
References

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Janmojzis
Janmojzis tinyssh
Vendors & Products Janmojzis
Janmojzis tinyssh

Sun, 22 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Title janmojzis tinyssh Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification
Weaknesses CWE-345
CWE-347
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Janmojzis Tinyssh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-18T03:39:33.191Z

Reserved: 2026-03-21T15:10:27.592Z

Link: CVE-2026-4541

cve-icon Vulnrichment

Updated: 2026-03-23T15:33:46.444Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-22T09:15:59.683

Modified: 2026-04-18T05:16:22.490

Link: CVE-2026-4541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:35Z

Weaknesses