{"id":"CVE-2020-12607","details":"An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a usability problem. There are some threat models where an attacker can benefit by successfully guessing users for whom signature verification will fail.","aliases":["GHSA-56wv-2wr9-3h9r","PYSEC-2020-42"],"modified":"2026-04-11T15:27:50.774285Z","published":"2020-06-02T21:15:10.607Z","references":[{"type":"FIX","url":"https://github.com/AntonKueltz/fastecdsa/commit/4a16daeaf139be20654ef58a9fe4c79dc030458c"},{"type":"FIX","url":"https://github.com/AntonKueltz/fastecdsa/commit/7b64e3efaa806b4daaf73bb5172af3581812f8de"},{"type":"FIX","url":"https://github.com/AntonKueltz/fastecdsa/commit/e592f106edd5acf6dacedfab2ad16fe6c735c9d1"},{"type":"EVIDENCE","url":"https://github.com/AntonKueltz/fastecdsa/issues/52"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/antonkueltz/fastecdsa","events":[{"introduced":"0"},{"fixed":"7b64e3efaa806b4daaf73bb5172af3581812f8de"},{"fixed":"4a16daeaf139be20654ef58a9fe4c79dc030458c"},{"fixed":"e592f106edd5acf6dacedfab2ad16fe6c735c9d1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.1.2"}]}}],"versions":["v1.0.1","v1.0.2","v1.0.3","v1.1.3","v1.2.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v2.0.0","v2.1.0","v2.1.1","v2.1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12607.json","vanir_signatures":[{"digest":{"length":830,"function_hash":"93520763919975657384232032081005663602"},"signature_version":"v1","target":{"function":"pointZZ_pDouble","file":"src/curveMath.c"},"signature_type":"Function","source":"https://github.com/antonkueltz/fastecdsa/commit/e592f106edd5acf6dacedfab2ad16fe6c735c9d1","id":"CVE-2020-12607-66ce0194","deprecated":false},{"digest":{"length":1007,"function_hash":"114807553560984464700912165694170755712"},"signature_version":"v1","target":{"function":"pointZZ_pMul","file":"src/curveMath.c"},"signature_type":"Function","source":"https://github.com/antonkueltz/fastecdsa/commit/e592f106edd5acf6dacedfab2ad16fe6c735c9d1","id":"CVE-2020-12607-765a86e6","deprecated":false},{"digest":{"length":794,"function_hash":"237713034721248222028732838030589999764"},"signature_version":"v1","target":{"function":"pointZZ_pAdd","file":"src/curveMath.c"},"signature_type":"Function","source":"https://github.com/antonkueltz/fastecdsa/commit/e592f106edd5acf6dacedfab2ad16fe6c735c9d1","id":"CVE-2020-12607-9ebef2d1","deprecated":false},{"digest":{"line_hashes":["295440111576572506065665976290646547187","196854035119909962313773951870531590818","317871309843992884374969037078204491522","104375746076562032098332227659040301528","65416599458374717787017732325794096570","177423792026663125093054846541122329542","218619352812740939546316886251052461695","40930251885493100673819922373020214212","243540426651314462511606196020035304659","273798193599705150604646108665496793181","170054887755278315323162088544007563571","197353946011006447932649302589988372905","234408837222518631626031317531483544714","74221276442437195587473428445690813998"],"threshold":0.9},"signature_version":"v1","target":{"file":"src/curveMath.c"},"signature_type":"Line","source":"https://github.com/antonkueltz/fastecdsa/commit/e592f106edd5acf6dacedfab2ad16fe6c735c9d1","id":"CVE-2020-12607-adb032bc","deprecated":false}],"vanir_signatures_modified":"2026-04-11T15:27:50Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}