Description
PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature verification.
Published: 2026-05-25
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PuTTY versions prior to 0.84 contain an assertion failure that is triggered during ECDSA host key verification. When the client processes an ECDSA key that causes the internal assertion to fail, PuTTY aborts, resulting in a client‑side crash and a denial‑of‑service condition for the user. The weakness is classified as CWE‑617, which describes failures to properly control program flow leading to unsafe termination.

Affected Systems

The flaw affects all installations of PuTTY version 0.71 through 0.83 on any operating system because the vulnerability exists up to (but not including) 0.84. The product is listed by the CNA as PuTTY:PuTTY, and any user running one of those versions may experience an unexpected crash.

Risk and Exploitability

The moderate CVSS score of 3.7 reflects the limited impact and lack of remote code execution. EPSS data is unavailable, so the likelihood of exploitation cannot be quantified, but the attack does not provide a privileged or persistent compromise. The vulnerability is not catalogued in the CISA KEV list. The likely attack vector is a normal SSH session to a server that presents a malformed or deliberately crafted ECDSA host key; the client then aborts. Because the flaw only terminates the client, the risk is restricted to service disruption rather than credential theft or system compromise.

Generated by OpenCVE AI on May 25, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PuTTY to version 0.84 or later to apply the fix for the ECDSA assertion failure.
  • Temporarily avoid connecting to remote hosts that use ECDSA host keys until the update is available.
  • Disable ECDSA host key verification in your SSH client configuration or switch to a different SSH client that is not affected.
  • Verify the integrity of the PuTTY binary by checking its digital signature or checksum before installing, especially when downloading from unofficial sources.

Generated by OpenCVE AI on May 25, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Assertion Failure in ECDSA Host Key Verification in PuTTY

Mon, 25 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature verification.
First Time appeared Putty
Putty putty
Weaknesses CWE-617
CPEs cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:*
Vendors & Products Putty
Putty putty
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Putty Putty
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T12:39:14.852Z

Reserved: 2026-05-25T20:19:20.308Z

Link: CVE-2026-48852

cve-icon Vulnrichment

Updated: 2026-05-26T12:39:12.140Z

cve-icon NVD

Status : Received

Published: 2026-05-25T21:16:35.543

Modified: 2026-05-25T21:16:35.543

Link: CVE-2026-48852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T22:30:16Z

Weaknesses