CVE-2026-3706
Improper Signature Verification in mkj Dropbear Curve25519 Remote
Publication date: 2026-03-08
Last updated on: 2026-04-22
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mkj | dropbear | to 2025.89 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3706 is a vulnerability in the mkj Dropbear SSH server software up to version 2025.89. It arises from improper verification of cryptographic signatures in the function unpackneg within the file src/curve25519.c. Specifically, the vulnerability is due to a missing range check on the scalar component S of Ed25519 signatures, which violates the RFC 8032 specification requiring that S must be less than the group order L.'}, {'type': 'paragraph', 'content': "Because of this missing check, an attacker can create a malleable signature by adding the group order L to the scalar S (i.e., S' = S + L), and Dropbear will incorrectly accept both the original and the modified signature as valid. This breaks the uniqueness property of Ed25519 signatures and undermines the cryptographic integrity of the signature verification process."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without authentication, although the attack complexity is high and exploitability is considered difficult. A proof-of-concept exploit has been publicly disclosed.'}, {'type': 'paragraph', 'content': 'A patch has been released that adds the required scalar range check to ensure S < L, thereby preventing signature malleability and aligning the implementation with RFC 8032.'}] [2, 3, 6, 7]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability impacts the integrity of the Dropbear SSH server's cryptographic signature verification. Because the server accepts malleable signatures, an attacker could forge alternative valid signatures for the same signed message."}, {'type': 'paragraph', 'content': 'Such signature malleability can undermine security mechanisms that rely on signature uniqueness, potentially allowing attackers to bypass signature-based authentication or auditing controls.'}, {'type': 'paragraph', 'content': 'While the vulnerability does not directly compromise confidentiality or availability, it compromises data integrity and trust in the authenticity of SSH communications.'}, {'type': 'paragraph', 'content': 'Exploitation requires high complexity and is difficult, but a public proof-of-concept exists, so the risk is real if the vulnerable Dropbear versions are used without patching.'}, {'type': 'paragraph', 'content': 'To mitigate this impact, it is recommended to apply the available patch that enforces the scalar range check in signature verification.'}] [2, 6]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper verification of Ed25519 cryptographic signatures in mkj Dropbear SSH server versions up to 2025.89. Detection involves verifying the Dropbear version in use and checking for the presence of the patch commit fdec3c90a15447bd538641d85e5a3e3ac981011d that fixes the issue.
Since the vulnerability is in the signature verification code of Dropbear, direct detection on network traffic is difficult without specialized cryptographic analysis tools. However, you can detect vulnerable versions by checking the Dropbear SSH server version running on your system.
- Run the command `dropbear -V` or `dropbear -h` on the server to display the version information.
- Check the version string for any version up to 2025.89, which is vulnerable.
- Alternatively, inspect the source code or binary for the presence or absence of the patch commit fdec3c90a15447bd538641d85e5a3e3ac981011d.
No specific network commands or signatures are provided in the available information to detect exploitation attempts directly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch that fixes the vulnerability. The patch is identified by commit fdec3c90a15447bd538641d85e5a3e3ac981011d in the mkj Dropbear GitHub repository.
This patch adds a critical range check on the scalar component S of Ed25519 signatures to ensure it is less than the group order L, preventing signature malleability and enforcing RFC 8032 compliance.
- Update your Dropbear SSH server to a version that includes the patch commit fdec3c90a15447bd538641d85e5a3e3ac981011d or later.
- If you are building Dropbear from source, pull the latest code from the official repository and rebuild the server.
- Restart the Dropbear SSH service after applying the update to ensure the fix is active.
Since the exploitability is considered difficult and the attack complexity is high, applying the patch promptly is the most effective immediate mitigation.