Cyber Resilience

CVE-2026-4258

HighPublic PoCUpdated

Published: 17 March 2026

Published
17 March 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4258 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Bitwiseshiftleft Stanford Javascript Crypto Library. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4258 is an Improper Verification of Cryptographic Signature vulnerability (CWE-347, CWE-325) affecting all versions of the sjcl JavaScript cryptographic library. It arises from missing point-on-curve validation in the sjcl.ecc.basicKey.publicKey() function, enabling attackers to recover a victim's ECDH private key. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-17.

A network-based attacker requires no privileges or user interaction to exploit this vulnerability. By sending crafted off-curve public keys to a victim and observing the resulting ECDH outputs, the attacker can recover the private key. The dhJavaEc() function exacerbates the issue by directly returning the raw x-coordinate of the scalar multiplication result without hashing, providing a plaintext oracle that does not rely on decryption feedback.

Mitigation is available via a patch in the sjcl repository at commit ee307459972442a17beebc29dc331fffd8aff796, which addresses the point validation flaw. Further details, including a proof-of-concept, are provided in the GitHub gist at https://gist.github.com/Kr0emer/2560f98edb10b0b34f2438cd63913c47 and the Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-SJCL-15369617. Practitioners using sjcl should update to the patched version and audit ECDH implementations for similar validation gaps.

EU & UK References

Vulnerability details

All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs.…

more

The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Why these techniques?

Vulnerability enables remote recovery of ECDH private keys via crafted inputs and missing curve validation (direct credential theft); maps to exploitation for credential access and private key compromise.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4601Shared CWE-325
CVE-2026-34240Shared CWE-347
CVE-2024-56161Shared CWE-347
CVE-2025-24043Shared CWE-347
CVE-2026-23687Shared CWE-347
CVE-2024-13172Shared CWE-347
CVE-2026-41669Shared CWE-347
CVE-2026-27962Shared CWE-347
CVE-2025-12006Shared CWE-347
CVE-2026-32974Shared CWE-347

Affected Assets

bitwiseshiftleft
stanford javascript crypto library
≤ 1.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly requires timely identification, reporting, and correction of the specific flaw in sjcl's ECDH point-on-curve validation via available patch to prevent private key recovery.

prevent

Mandates validation of information inputs such as ECDH public keys to detect and reject crafted off-curve points, addressing the core vulnerability.

prevent

Requires approved cryptographic key establishment techniques per NIST SP 800-56A that include elliptic curve point validation, preventing exploitation through invalid public keys in ECDH.

References