CVE-2025-69277: libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
Overview
- Severity
- Medium (CVSS 4.5)
- CVSS Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U
- Exploit Status
- Not Exploited
- Patch Tuesday
- 2025-Dec
- Released
- 2026-01-03
- Last Updated
- 2026-02-18
- EPSS Score
- 0.01% (percentile: 0.6%)
Affected Products (4)
Other
- 20774-17084
- 20775-17086
- 20829-17084
- 20883-17086
Revision History
- 2026-01-03: Information published.
- 2026-01-09: Information published.
- 2026-01-13: Information published.
- 2026-01-20: Information published.
- 2026-02-18: Information published.