Skip to content

Comments

Add CVSS 3.1 severity for GHSA-x4gp-pqpj-f43q#6872

Merged
advisory-database[bot] merged 1 commit intogithub:sunnypatell/advisory-improvement-6872from
sunnypatell:cvss-GHSA-x4gp-pqpj-f43q
Feb 17, 2026
Merged

Add CVSS 3.1 severity for GHSA-x4gp-pqpj-f43q#6872
advisory-database[bot] merged 1 commit intogithub:sunnypatell/advisory-improvement-6872from
sunnypatell:cvss-GHSA-x4gp-pqpj-f43q

Conversation

@sunnypatell
Copy link

@sunnypatell sunnypatell commented Feb 13, 2026

Changes

Added CVSS 3.1 scoring to GHSA-x4gp-pqpj-f43q (curve25519-dalek timing variability in scalar subtraction).

  • Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (5.1 Medium)

CVSS justification

  • AV:L - timing side-channel requires local access to observe execution timing differences
  • AC:H - exploiting timing variability in Scalar29::sub/Scalar52::sub requires precise measurement and statistical analysis
  • C:H - successful exploitation could leak secret scalar values used in cryptographic operations
  • I:N/A:N - this is a read-only information leak; no data modification or service disruption

References

Copilot AI review requested due to automatic review settings February 13, 2026 20:56
@github-actions github-actions bot changed the base branch from main to sunnypatell/advisory-improvement-6872 February 13, 2026 20:58
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds CVSS 3.1 scoring information to the GitHub Security Advisory GHSA-x4gp-pqpj-f43q, which documents a timing variability vulnerability in the curve25519-dalek cryptographic library. The vulnerability affects the Scalar29::sub and Scalar52::sub functions and could potentially leak secret scalar values through timing side-channel attacks.

Changes:

  • Adds CVSS 3.1 vector string and scoring to the security advisory JSON file
  • Provides detailed justification for each CVSS metric based on the vulnerability characteristics

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sunnypatell sunnypatell force-pushed the cvss-GHSA-x4gp-pqpj-f43q branch from 0cbf9bb to 25c926a Compare February 17, 2026 15:43
@sunnypatell
Copy link
Author

sunnypatell commented Feb 17, 2026

corrected the CVSS vector to use the CNA-sourced score (cve@mitre.org) instead of the NVD primary score.

  • was: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (5.1, nvd@nist.gov)
  • now: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (2.9, cve@mitre.org)

@shelbyc
Copy link
Contributor

shelbyc commented Feb 17, 2026

Hi @sunnypatell, I'm merging this PR because GHSA-x4gp-pqpj-f43q doesn't already have a CVSS attached to the advisory and a CVSS would be appropriate for the severity of the issue described in the GHSA. I agree with the choice of MITRE's CVSS CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.

@advisory-database advisory-database bot merged commit 261eda7 into github:sunnypatell/advisory-improvement-6872 Feb 17, 2026
1 check passed
@advisory-database
Copy link
Contributor

advisory-database bot commented Feb 17, 2026

Hi @sunnypatell! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@sunnypatell sunnypatell mentioned this pull request Feb 18, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunnypatell @shelbyc