CVE-2026-26275
Published: 19 February 2026
Summary
CVE-2026-26275 is a high-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Junkurihara Httpsig-Hyper. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Proper validation of integrity check values is required for reliable tamper detection, directly reducing undetected modification risks.
Requires validation of integrity check values on every resolution response, directly mitigating tampered or corrupted DNS data.
Control mandates proper validation of integrity values (checksums) on prepared data, making flawed validation of those checks ineffective for attackers.
Requires use of proper integrity verification tools, reducing the chance an incorrect check value is accepted.
Requires proper validation of integrity mechanisms, directly mitigating flawed check-value handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability bypasses HTTP Digest/signature integrity verification, directly enabling undetected tampering of message bodies in transit.
NVD Description
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated…
more
`_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer.
Deeper analysisAI
CVE-2026-26275 affects httpsig-hyper, a Hyper extension for HTTP message signatures, in versions prior to 0.0.23. The vulnerability stems from a misuse of Rust's `matches!` macro in Digest header verification, where the comparison `if matches!(digest, _expected_digest)` incorrectly treats `_expected_digest` as a pattern binding rather than performing a value comparison. This results in unconditional success of the match expression, causing digest verification to return success even when the computed digest does not match the expected value. Consequently, applications relying on this library for Digest verification as part of HTTP message signature validation may fail to detect modifications to the message body.
Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity, as indicated by its CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Exploitation allows an attacker to send HTTP messages with tampered bodies that pass Digest verification, bypassing integrity checks tied to HTTP message signatures. This can lead to successful message body modification without detection, with impact limited to high integrity violation and associated CWEs-354 (Improper Validation of Integrity Check Value) and CWE-697 (Incorrect Comparison).
The security advisory and patch details in the httpsig-rs GitHub repository confirm the fix in version 0.0.23, which replaces the erroneous `matches!` usage with a proper value comparison and adds constant-time comparison for defense-in-depth, along with regression tests. Users are strongly advised to upgrade immediately, as there is no reliable workaround; those unable to upgrade should avoid relying solely on Digest verification and enforce full HTTP message signature validation at the application layer. Relevant references include the fixing commits, pull requests, and the GHSA-7v42-g35v-xrch advisory.
Details
- CWE(s)