FIND-20260404-018 · 2026-04-04 · Innovation Veille

RUSTSEC-2026-0075 — libcrux-ed25519 All-Zero Key on RNG Failure (HIGH 8.2)

cve MEDIUM
libcrux-ed25519 <= 0.0.6 silently generates an all-zero Ed25519 signing key when the CSPRNG fails after 100 attempts, allowing signature forgery. Fixed in 0.0.7. Only triggers on catastrophic RNG failure, but impact is total cryptographic compromise if triggered. OID service uses JWT/OIDC signing — if libcrux-ed25519 is a transitive dep, upgrade is mandatory.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0075

ODS Impact

OID service signs JWT tokens. If any dependency in the Rust crate tree pulls libcrux-ed25519 <= 0.0.6, an RNG failure during token signing would produce a predictable key. Run cargo audit in OID, billing-engine, and securemail service repos to check for this dependency.

Security Review

License: Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

rust cve cryptography ed25519 oid rustsec
Generated by ODS Innovation Veille · 2026-04-04T19:09:13+00:00