High severityNVD Advisory· Published Feb 6, 2026· Updated Feb 9, 2026
Nebula Has Possible Blocklist Bypass via ECDSA Signature Malleability
CVE-2026-25793
Description
Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/slackhq/nebulaGo | >= 1.7.0, < 1.10.3 | 1.10.3 |
Affected products
15- osv-coords14 versionspkg:apk/chainguard/caddypkg:apk/chainguard/caddy-fipspkg:apk/chainguard/steppkg:apk/chainguard/step-capkg:apk/chainguard/step-ca-fipspkg:apk/chainguard/step-fipspkg:apk/chainguard/step-issuerpkg:apk/chainguard/step-issuer-fipspkg:apk/wolfi/caddypkg:apk/wolfi/steppkg:apk/wolfi/step-capkg:apk/wolfi/step-issuerpkg:golang/github.com/slackhq/nebulapkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 2.11.0-r0+ 13 more
- (no CPE)range: < 2.11.0-r0
- (no CPE)range: < 2.11.1-r0
- (no CPE)range: < 0.30.1-r0
- (no CPE)range: < 0.30.1-r0
- (no CPE)range: < 0.30.2-r0
- (no CPE)range: < 0.30.1-r0
- (no CPE)range: < 0.10.1-r0
- (no CPE)range: < 0.9.11-r5
- (no CPE)range: < 2.11.0-r0
- (no CPE)range: < 0.30.1-r0
- (no CPE)range: < 0.30.1-r0
- (no CPE)range: < 0.10.1-r0
- (no CPE)range: >= 1.7.0, < 1.10.3
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-69x3-g4r3-p962ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25793ghsaADVISORY
- github.com/slackhq/nebula/commit/f573e8a26695278f9d71587390fbfe0d0933aa21ghsax_refsource_MISCWEB
- github.com/slackhq/nebula/security/advisories/GHSA-69x3-g4r3-p962ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.