Skip to content

[AutoPR- Security] Patch keda for CVE-2026-26958 [LOW] #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
Draft

[AutoPR- Security] Patch keda for CVE-2026-26958 [LOW] #195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions SPECS/keda/CVE-2026-26958.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
From fa8223239724e073f01a203dbd7e090d499b901b Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Sun, 15 Feb 2026 22:00:22 +0100
Subject: [PATCH] extra: initialize receiver in MultiScalarMult

(*Point).MultiScalarMult failed to initialize its receiver.

If the method is called on an initialized point that is not the identity
point, MultiScalarMult produces an incorrect result.

If the method is called on an uninitialized point, the behavior is
undefined. In particular, if the receiver is the zero value,
MultiScalarMult returns an invalid point that compares Equal to every
point.

This was independently reported by @WeebDataHoarder and @shaharcohen1.

Fixes CVE-2026-26958
Fixes GHSA-fw7p-63qq-7hpr

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb.patch
---
vendor/filippo.io/edwards25519/extra.go | 1 +
1 file changed, 1 insertion(+)

diff --git a/vendor/filippo.io/edwards25519/extra.go b/vendor/filippo.io/edwards25519/extra.go
index d152d68f..ab2e44a5 100644
--- a/vendor/filippo.io/edwards25519/extra.go
+++ b/vendor/filippo.io/edwards25519/extra.go
@@ -265,6 +265,7 @@ func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point {
tmp1 := &projP1xP1{}
tmp2 := &projP2{}
// Lookup-and-add the appropriate multiple of each input point
+ v.Set(NewIdentityPoint())
for j := range tables {
tables[j].SelectInto(multiple, digits[j][63])
tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/keda/keda.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: Kubernetes-based Event Driven Autoscaling
Name: keda
Version: 2.14.1
Release: 11%{?dist}
Release: 12%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand Down Expand Up @@ -38,6 +38,7 @@ Patch12: CVE-2025-11065.patch
Patch13: CVE-2025-47911.patch
Patch14: CVE-2025-58190.patch
Patch15: CVE-2026-2303.patch
Patch16: CVE-2026-26958.patch
BuildRequires: golang >= 1.15

%description
Expand Down Expand Up @@ -73,6 +74,9 @@ cp ./bin/keda-admission-webhooks %{buildroot}%{_bindir}
%{_bindir}/%{name}-admission-webhooks

%changelog
* Mon Mar 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.14.1-12
- Patch for CVE-2026-26958

* Thu Feb 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.14.1-11
- Patch for CVE-2026-2303, CVE-2025-58190, CVE-2025-47911

Expand Down
Loading