libgcrypt P256 signature malleability via weak DER enforcement
Jake Ginesin
jakeginesin at gmail.com
Thu Jan 15 00:46:28 CET 2026
Hey Sam,
The Gnupg security webpage states, "If you found a severe security problem
and you do not want to publish it, please report it by mail to security at
gnupg.org"
In my opinion the "severe" vulnerability classification for ECDSA should be
reserved for signature forgery and private key extraction. While I judge
this issue as relevant and important to address (especially due to the
trivial exploitability), I do not see it as severe. Hence, I disclosed it
publicly. Was this the wrong decision?
Thanks,
Jake
https://jakegines.in
On Wed, Jan 14, 2026 at 5:43 PM Sam James <sam at gentoo.org> wrote:
> Jake Ginesin via Gnupg-devel <gnupg-devel at gnupg.org> writes:
>
> > Thank you for your response, and thank you for upstreaming this issue to
> libksba.
> >
> > May I be granted a GNU bugtracker account, such that I may participate
> in the ticket thread? I would like to emphasize
> > the security impact of this issue, as an attacker may very trivially
> mutate signatures without affecting validity. In
> > addition to the CVEs previously mentioned, CVE-2019-14859 and BIP-66
> also report on the same issue in other libraries.
>
> As a casual observer, is there a reason you submitted this publicly, and
> not via https://gnupg.org/documentation/security.html?
>
> I'm a bit surprised to have seen it publicly and also found it strange
> someone else did something similar recently on the libgcrypt mailing list.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260114/b73c177d/attachment.html>
More information about the Gnupg-devel
mailing list