Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying whether PuTTY\'s Ed25519 signature verification improperly accepts signatures where the scalar component S is replaced by S + L, with L being the group order. A practical approach is to use the verification tool provided in the GitHub repository "putty-ed25519-malleability-s-plus-l" which automates this check.'}, {'type': 'paragraph', 'content': "The repository includes a script named `check.sh` that builds PuTTY's `testcrypt` executable if not already present, then runs a proof-of-concept test to check for the vulnerability. If PuTTY is vulnerable, the output will indicate acceptance of both the original and malleated signatures."}, {'type': 'list_item', 'content': 'Clone the repository: `git clone https://github.com/py-thok/putty-ed25519-malleability-s-plus-l`'}, {'type': 'list_item', 'content': 'Run the check script: `./check.sh` (this will build and test the PuTTY verifier)'}, {'type': 'list_item', 'content': 'Observe the output for lines like:\n```\nputty verify(orig) = True\nputty verify(S+L) = True\n```\nwhich indicate vulnerability.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary mitigation step is to apply the official patch identified by commit af996b5ec27ab79bae3882071b9d6acf16044549 to PuTTY. This patch enforces the canonicality check on the scalar component S in EdDSA signatures, rejecting any signatures where S is greater than or equal to the curve's base point order."}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to signature malleability and does not currently have demonstrated real-world impact, patching PuTTY to the fixed version is advisable to ensure compliance with RFC 8032 and prevent potential malleability issues.'}, {'type': 'list_item', 'content': 'Update PuTTY to version 0.83 or later that includes the patch af996b5ec27ab79bae3882071b9d6acf16044549.'}, {'type': 'list_item', 'content': 'If building from source, apply the patch manually from the commit linked in the patch repository.'}, {'type': 'list_item', 'content': 'Verify the fix by running the provided test cases or the verification tool from the GitHub repository.'}] [1, 4]

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4115 is a vulnerability in PuTTY version 0.83 affecting the Ed25519 signature verification implementation in the function eddsa_verify within the file crypto/ecc-ssh.c. The issue arises because the code does not enforce the strict upper bound on the signature component 's' as required by RFC 8032. Specifically, the value 's' in an EdDSA signature must be less than the curve's base point order to ensure a unique, canonical signature encoding. Prior to the fix, PuTTY accepted signatures where 's' was equal to or greater than this order, allowing malformed signatures to be accepted."}, {'type': 'paragraph', 'content': "This flaw introduces signature malleability, meaning an attacker can modify a valid signature into a different, yet still accepted, signature for the same message by adding the curve order to 's'. Although this does not allow forging signatures on new data, it violates the canonical form requirement and can affect systems relying on strong unforgeability."}, {'type': 'paragraph', 'content': "The vulnerability was recognized as a correctness issue rather than a direct security flaw in SSH contexts, since SSH does not rely on signature canonicality. The PuTTY developers quickly released a patch (commit af996b5ec27ab79bae3882071b9d6acf16044549) that adds an explicit check rejecting signatures with 's' values not strictly less than the curve order, aligning the implementation with RFC 8032."}] [1, 4]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "The vulnerability allows signature malleability, meaning an attacker can transform a valid Ed25519 signature into a different signature that is still accepted by PuTTY's verification process. This could potentially cause issues where systems expect signatures to be unique and canonical."}, {'type': 'paragraph', 'content': 'In the context of SSH, this malleability does not enable forging signatures on new messages or compromise session security, because the signature is transmitted in cleartext and not used in subsequent cryptographic operations like hashing or message authentication codes.'}, {'type': 'paragraph', 'content': 'However, the malleability could cause denial-of-service scenarios by poisoning host key caches if an attacker alters CA signatures to non-canonical forms, causing signature validation failures and preventing users from seeing modified fingerprints.'}, {'type': 'paragraph', 'content': 'Overall, the exploitability is difficult and requires a high level of complexity. There is no proof that this flaw has any real-world impact, but it is advisable to apply the patch to prevent potential issues related to signature malleability.'}] [4]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0