CVE-2026-3706 — Insufficient Verification of Data Authenticity in Dropbear

CWE-345 — Insufficient Verification of Data Authenticity CWE-347 — Improper Verification of Cryptographic Signature5 documents5 sources

Severity

1.7LOWNVD

EPSS

0.0%

top 99.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

MKJ Dropbear Debian Dropbear

Timeline

PublishedMar 8

Description

A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg of the file src/curve25519.c of the component S Range Check. This manipulation causes improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. Patch name: fdec3c90a15447bd538641d85e5a3e3ac981011d. To fix this …

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5mkj/dropbear90 versions+89

▶debiandebian/dropbear

🔴Vulnerability Details

GHSA

GHSA-87g2-jprq-4cmc: A vulnerability was determined in mkj Dropbear up to 2025↗2026-03-08

▶

OSV

CVE-2026-3706: A vulnerability was determined in mkj Dropbear up to 2025↗2026-03-08

▶

📋Vendor Advisories

Debian

CVE-2026-3706: dropbear - A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the fu...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3706 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶