CVE-2021-38195

CRITICAL9.8EPSS 0.17%

libsecp256k1 allows overflowing signatures

Published: 8/25/2021Modified: 11/8/2023

Also known as:GHSA-g4vj-x7v9-h82mRUSTSEC-2021-0076

Description

libsecp256k1 accepts signatures whose R or S parameter is larger than the secp256k1 curve order, which differs from other implementations. This could lead to invalid signatures being verified. The error is resolved in 0.5.0 by adding a `check_overflow` flag.

Affected packages (2)

crates.io/libsecp256k1from 0, < 0.5.0
crates.io/libsecp256k1>= 0.0.0-0, < 0.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-38195
PATCHhttps://crates.io/crates/libsecp256k1
PATCHhttps://github.com/paritytech/libsecp256k1
WEBhttps://github.com/paritytech/libsecp256k1/pull/67
WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0076.html