CVE-2026-4541

Description

A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended.

PUBLISHED Reserved 2026-03-21 | Published 2026-03-22 | Updated 2026-04-18 | Assigner VulDB

Problem types

Improper Verification of Cryptographic Signature

Insufficient Verification of Data Authenticity

Product status

Timeline

Credits

pythok (VulDB User) reporter

References

vuldb.com/vuln/352358 (VDB-352358 | janmojzis tinyssh Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification) vdb-entry

vuldb.com/vuln/352358/cti (VDB-352358 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/submit/774687 (Submit #774687 | GitHub tinyssh 20250501 Cryptographic Issues) third-party-advisory

github.com/janmojzis/tinyssh/issues/101 issue-tracking

github.com/janmojzis/tinyssh/pull/102 issue-tracking patch

github.com/janmojzis/tinyssh/issues/101 exploit issue-tracking

github.com/...ommit/9c87269607e0d7d20174df742accc49c042cff17 patch

github.com/janmojzis/tinyssh/releases/tag/20260301 patch

github.com/janmojzis/tinyssh/ product

cve.org (CVE-2026-4541)

nvd.nist.gov (CVE-2026-4541)

Download JSON