Critical severityNVD Advisory· Published Jul 28, 2025· Updated Apr 15, 2026

CVE-2025-54426

Description

Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. In versions prior to commit 36f70d1, the Curve25519Add and Curve25519ScalarMul precompiles incorrectly handle invalid Ristretto point representations. Instead of returning an error, they silently treat invalid input bytes as the Ristretto identity element, leading to potentially incorrect cryptographic results. This is fixed in commit 36f70d1.

Patches

36f70d1defca

https://github.com/polkadot-evm/frontiervia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdfnvd
github.com/polkadot-evm/frontier/commit/36f70d1defcaeaed5a453015f6c98c21bb5b121bnvd
github.com/polkadot-evm/frontier/pull/1720/commits/8ed6053fb868495477ba2409f7e64f439df76f96nvd
github.com/polkadot-evm/frontier/security/advisories/GHSA-v4q3-23rh-w5mwnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000