CVE-2026-26275

{"id": "CVE-2026-26275", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-19T22:16:46.493", "references": [{"url": "https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/junkurihara/httpsig-rs/pull/14", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/junkurihara/httpsig-rs/pull/15", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-354"}, {"lang": "en", "value": "CWE-697"}]}], "descriptions": [{"lang": "en", "value": "httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer."}, {"lang": "es", "value": "httpsig-hyper es una extensi\u00f3n hyper para firmas de mensajes HTTP. Se descubri\u00f3 un problema en 'httpsig-hyper' anterior a la versi\u00f3n 0.0.23 donde la verificaci\u00f3n del encabezado Digest podr\u00eda ser exitosa, aunque de forma indebida, por el mal funcionamiento de la macro 'matches!' de Rust. Espec\u00edficamente, la comparaci\u00f3n 'if matches!(digest, _expected_digest)' trataba '_expected_digest' como una vinculaci\u00f3n de patr\u00f3n en lugar de una comparaci\u00f3n de valor, lo que resultaba en el \u00e9xito incondicional de la expresi\u00f3n de coincidencia. Como consecuencia, la verificaci\u00f3n del digest pod\u00eda devolver \u00e9xito incorrectamente incluso cuando el digest calculado no coincid\u00eda con el valor esperado. Por lo tanto, las aplicaciones que dependen de la verificaci\u00f3n de Digest como parte de la validaci\u00f3n de firmas de mensajes HTTP, pueden no detectar la modificaci\u00f3n del cuerpo del mensaje. La gravedad depende de c\u00f3mo se integra la biblioteca y si se aplican capas adicionales de validaci\u00f3n de firmas. Este problema ha sido solucionado en 'httpsig-hyper' 0.0.23. La soluci\u00f3n reemplaza el uso incorrecto de 'matches!' por una comparaci\u00f3n de valor adecuada y adicionalmente introduce una comparaci\u00f3n de tiempo constante para la verificaci\u00f3n del digest como defensa en profundidad. Tambi\u00e9n se han a\u00f1adido pruebas de regresi\u00f3n para evitar la reintroducci\u00f3n de este problema. Se recomienda encarecidamente a los usuarios que actualicen a la versi\u00f3n parcheada. No hay una soluci\u00f3n alternativa fiable sin actualizar. Los usuarios que no puedan actualizar inmediatamente deben evitar depender \u00fanicamente de la verificaci\u00f3n de Digest para la integridad del mensaje y asegurarse de que la verificaci\u00f3n completa de la firma de mensajes HTTP se aplique en la capa de aplicaci\u00f3n."}], "lastModified": "2026-03-03T17:44:32.643", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:junkurihara:httpsig-hyper:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "8D02B03A-2C49-46ED-A5C0-EF91104582CA", "versionEndExcluding": "0.0.23"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}