CWE-1240
Use of a Cryptographic Primitive with a Risky Implementation
Description
To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-97
CVEs mapped to this weakness (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46654 | Hig | 0.51 | — | 0.00 | Jun 10, 2026 | Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in… | ||
| CVE-2025-24802 | — | Hig | 0.49 | 8.6 | 0.00 | Jan 30, 2025 | Plonky2 is a SNARK implementation based on techniques from PLONK and FRI. Lookup tables, whose length is not divisible by 26 = floor(num_routed_wires / 3) always include the 0 -> 0 input-output pair. Thus a malicious prover can always prove that f(0) = 0 for any lookup table f… | |
| CVE-2025-14505 | Med | 0.36 | 5.6 | 0.00 | Jan 8, 2026 | The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret… | ||
| CVE-2026-22705 | Med | 0.35 | 6.4 | 0.00 | Jan 10, 2026 | RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints… | ||
| CVE-2025-29779 | Med | 0.35 | — | 0.00 | Mar 14, 2025 | Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. In versions 0.8.0b2 and prior, the `secure_redundant_execution` function in feldman_vss.py attempts to mitigate fault injection attacks… | ||
| CVE-2017-1000168 | Med | 0.35 | 6.5 | 0.01 | Nov 17, 2017 | sodiumoxide 0.0.13 and older scalarmult() vulnerable to degenerate public keys | ||
| CVE-2026-44410 | — | Low | 0.25 | 3.8 | 0.00 | May 26, 2026 | This vulnerability stems from a business logic flaw.Attackers can exploit legitimate application functions in unintended and abnormal ways, deviating from the designer's expectations, to carry out malicious attacks. | |
| CVE-2026-27017 | 0.00 | — | 0.00 | Feb 20, 2026 | uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome… | |||
| CVE-2025-53960 | 0.00 | — | 0.00 | Dec 12, 2025 | When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to… |
- risk 0.51cvss —epss 0.00
Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in…
- risk 0.49cvss 8.6epss 0.00
Plonky2 is a SNARK implementation based on techniques from PLONK and FRI. Lookup tables, whose length is not divisible by 26 = floor(num_routed_wires / 3) always include the 0 -> 0 input-output pair. Thus a malicious prover can always prove that f(0) = 0 for any lookup table f…
- risk 0.36cvss 5.6epss 0.00
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret…
- risk 0.35cvss 6.4epss 0.00
RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints…
- risk 0.35cvss —epss 0.00
Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. In versions 0.8.0b2 and prior, the `secure_redundant_execution` function in feldman_vss.py attempts to mitigate fault injection attacks…
- risk 0.35cvss 6.5epss 0.01
sodiumoxide 0.0.13 and older scalarmult() vulnerable to degenerate public keys
- risk 0.25cvss 3.8epss 0.00
This vulnerability stems from a business logic flaw.Attackers can exploit legitimate application functions in unintended and abnormal ways, deviating from the designer's expectations, to carry out malicious attacks.
- CVE-2026-27017Feb 20, 2026risk 0.00cvss —epss 0.00
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome…
- CVE-2025-53960Dec 12, 2025risk 0.00cvss —epss 0.00
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to…