CVE-2026-3706
Received Received - Intake
Improper Signature Verification in mkj Dropbear Curve25519 Remote

Publication date: 2026-03-08

Last updated on: 2026-04-22

Assigner: VulDB

Description
A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg of the file src/curve25519.c of the component S Range Check. This manipulation causes improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. Patch name: fdec3c90a15447bd538641d85e5a3e3ac981011d. To fix this issue, it is recommended to deploy a patch. The project maintainer explains: "Signature Malleability is not exploitable in SSH protocol. (...) [A] PoC doesn't exist for SSH implementation, but rather it's against the internal API."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3706
EUVD
EUVD-2026-10213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mkj dropbear to 2025.89 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3706 is a vulnerability in the mkj Dropbear SSH server software up to version 2025.89. It arises from improper verification of cryptographic signatures in the function unpackneg within the file src/curve25519.c. Specifically, the vulnerability is due to a missing range check on the scalar component S of Ed25519 signatures, which violates the RFC 8032 specification requiring that S must be less than the group order L.'}, {'type': 'paragraph', 'content': "Because of this missing check, an attacker can create a malleable signature by adding the group order L to the scalar S (i.e., S' = S + L), and Dropbear will incorrectly accept both the original and the modified signature as valid. This breaks the uniqueness property of Ed25519 signatures and undermines the cryptographic integrity of the signature verification process."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without authentication, although the attack complexity is high and exploitability is considered difficult. A proof-of-concept exploit has been publicly disclosed.'}, {'type': 'paragraph', 'content': 'A patch has been released that adds the required scalar range check to ensure S < L, thereby preventing signature malleability and aligning the implementation with RFC 8032.'}] [2, 3, 6, 7]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability impacts the integrity of the Dropbear SSH server's cryptographic signature verification. Because the server accepts malleable signatures, an attacker could forge alternative valid signatures for the same signed message."}, {'type': 'paragraph', 'content': 'Such signature malleability can undermine security mechanisms that rely on signature uniqueness, potentially allowing attackers to bypass signature-based authentication or auditing controls.'}, {'type': 'paragraph', 'content': 'While the vulnerability does not directly compromise confidentiality or availability, it compromises data integrity and trust in the authenticity of SSH communications.'}, {'type': 'paragraph', 'content': 'Exploitation requires high complexity and is difficult, but a public proof-of-concept exists, so the risk is real if the vulnerable Dropbear versions are used without patching.'}, {'type': 'paragraph', 'content': 'To mitigate this impact, it is recommended to apply the available patch that enforces the scalar range check in signature verification.'}] [2, 6]

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves improper verification of Ed25519 cryptographic signatures in mkj Dropbear SSH server versions up to 2025.89. Detection involves verifying the Dropbear version in use and checking for the presence of the patch commit fdec3c90a15447bd538641d85e5a3e3ac981011d that fixes the issue.

Since the vulnerability is in the signature verification code of Dropbear, direct detection on network traffic is difficult without specialized cryptographic analysis tools. However, you can detect vulnerable versions by checking the Dropbear SSH server version running on your system.

  • Run the command `dropbear -V` or `dropbear -h` on the server to display the version information.
  • Check the version string for any version up to 2025.89, which is vulnerable.
  • Alternatively, inspect the source code or binary for the presence or absence of the patch commit fdec3c90a15447bd538641d85e5a3e3ac981011d.

No specific network commands or signatures are provided in the available information to detect exploitation attempts directly.

Mitigation Strategies

The primary mitigation step is to apply the official patch that fixes the vulnerability. The patch is identified by commit fdec3c90a15447bd538641d85e5a3e3ac981011d in the mkj Dropbear GitHub repository.

This patch adds a critical range check on the scalar component S of Ed25519 signatures to ensure it is less than the group order L, preventing signature malleability and enforcing RFC 8032 compliance.

  • Update your Dropbear SSH server to a version that includes the patch commit fdec3c90a15447bd538641d85e5a3e3ac981011d or later.
  • If you are building Dropbear from source, pull the latest code from the official repository and rebuild the server.
  • Restart the Dropbear SSH service after applying the update to ensure the fix is active.

Since the exploitability is considered difficult and the attack complexity is high, applying the patch promptly is the most effective immediate mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart