While working on gotrue project, I identified a vulnerability CVE-2026-26958 in the filippo.io/edwards25519 Go package. The issue exists in the (*Point).MultiScalarMult method, which does not properly initialize its receiver. If the method is executed on a non-identity or uninitialized point, it may return incorrect or undefined results, potentially affecting cryptographic operations and data integrity.
CVE Link
CVE Report
While working on gotrue project, I identified a vulnerability CVE-2026-26958 in the filippo.io/edwards25519 Go package. The issue exists in the (*Point).MultiScalarMult method, which does not properly initialize its receiver. If the method is executed on a non-identity or uninitialized point, it may return incorrect or undefined results, potentially affecting cryptographic operations and data integrity.
CVE Link
CVE Report