exploitDog

CVE-2026-4258

Опубликовано: 17 мар. 2026

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.

Ссылки

EPSS

Процентиль: 4%

0.00017

Низкий

7.5 High

CVSS3

Дефекты

CWE-347

CWE-325

Связанные уязвимости

CVE-2026-4258

CVSS3: 7.5

debian

12 дней назад

All versions of the package sjcl are vulnerable to Improper Verificati ...

GHSA-2w8x-224x-785m

CVSS3: 7.5

github

12 дней назад

sjcl is missing point-on-curve validation in sjcl.ecc.basicKey.publicKey

EPSS

Процентиль: 4%

0.00017

Низкий

7.5 High

CVSS3

Дефекты

CWE-347

CWE-325

Уязвимость CVE-2026-4258