PuTTY vulnerability ecdsa-remotely-triggerable-assertion

This is a mirror. Follow this link to find the primary PuTTY web site.

summary: ECDSA signature verification can be made to fail an assertion
class: vulnerability: This is a security vulnerability.
present-in: 0.71
fixed-in: 65b8f37c34cd80680693e813e0081cdafaf58324 (0.84)

The elliptic curve arithmetic in PuTTY contains an assertion statement which shouldn't be there. It fails an assertion if you try to add two elliptic curve points with the same y-coordinate, which is a perfectly normal thing to do and should not be a special or error case at all. (Adding points with the same x-coordinate is a special case.)

This assertion failure can be triggered during initial key exchange, by sending a carefully chosen host key and signature. The crashing calculation does not depend on any other part of the key exchange, so the malicious key and signature can be the same every time.

Verification of the host key signature occurs in PuTTY before the host key is checked against the cache. So even if you trust the server you think you're connecting to, a MITM could substitute this bogus key and signature for the real ones, and cause PuTTY to crash with an assertion failure before you received any warning about an unknown or incorrect host key.

This just about classifies as a DoS attack, and hence a vulnerability. However, it is a very minor one, on the borderline of not even counting as a vulnerability at all, because:

A MITM between a particular client and server can always deny service in the sense of preventing a successful SSH connection setup. Nothing can be done about that.
The only interesting thing in this attack is that the MITM can cause PuTTY to crash, rather than failing with a more sensible error message (which is what happens in the same situation once this bug is fixed).
PuTTY is always compiled with assertions turned on. So the crash is only an ugly error message, and does not lead to any worse compromise.
PuTTY runs one SSH session per process, so this crash does not terminate any other running sessions.
The only potential damage is that if you had valuable information in your terminal scrollback (e.g. because you had already run one successful SSH connection in the same window, and then used the "Restart Session" menu option), you might lose that information because PuTTY crashed.

This bug applies only to elliptic curves in Weierstrass form. In PuTTY that means the NIST curves: P256, P384 and P521. Ed25519 (and Ed448) is unaffected.

Thanks to Guido Vranken for reporting this bug, and also providing an example case in the P256 curve.

If you want to comment on this web site, see the Feedback page.

Audit trail for this vulnerability.

(last revision of this bug record was at 2026-05-22 11:23:45 +0100)