CVE-2026-4115

CVE-2026-4115 is a low-severity vulnerability in Putty with a CVSS 3.x base score of 3.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-345.

Key facts

Description

A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519 Signature Handler. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is identified as af996b5ec27ab79bae3882071b9d6acf16044549. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a patch for the affected product. However, at the moment there is no proof that this flaw might have any real-world impact.

Frequently asked questions

What is CVE-2026-4115?
A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519 Signature Handler. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is identified as af996b5ec27ab79bae3882071b9d6acf16044549. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a patch for the affected product. However, at the moment there is no proof that this flaw might have any real-world impact.
How severe is CVE-2026-4115?
CVE-2026-4115 has a CVSS 3.x base score of 3.7, rated low severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2026-4115 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (41st percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-4115?
CVE-2026-4115 affects Putty. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-4115?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-4115 have an EU (EUVD) identifier?
Yes. CVE-2026-4115 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-14301.
When was CVE-2026-4115 published?
CVE-2026-4115 was published on 2026-03-22 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Putty

All CVEs affecting Putty →

Other CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities

Browse all CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities →