Is filippo.io/edwards25519 affected by CVE-2026-26958?

Go filippo.io/edwards25519 is affected in <1.1.1.

Is CVE-2026-26958 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

low

CVE-2026-26958

Q: Is CVE-2026-26958 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

Go · filippo.io/edwards25519

Summary

filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity

Severity: low
EPSS: 0.4% (p28)
Also known as: GHSA-fw7p-63qq-7hpr, GO-2026-4503
Published: 2026-02-18

References

https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
https://nvd.nist.gov/vuln/detail/CVE-2026-26958
https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.