FreeHSM C Incorrect ECDSA Signature Handling Vulnerability

56% confidence

Description

FreeHSM C versions 1.1.0 through 1.2.1 incorrectly applied a default SHA-256 digest during raw CKM_ECDSA and CKM_RSA_PKCS signing operations, causing signatures to be unverifiable by third-party systems. The module's internal verification logic masked the issue by applying the same default digest, but external verifiers expecting raw input digests rejected the signatures. This affected all signed releases over a 15-day period.

Affected Products

Vendor	Product	Versions
afchine	freehsm c	1.1.0 - 1.2.1

Related News (1 articles)

Tier C

oss-security2h ago

[Security advisory] FreeHSM C v1.1.0 - v1.2.1 : raw CKM_ECDSA signatures not externally verifiable (fixed in v1.2.2 ; v1.3.0 extends boot KAT regression guard to 6/7 surfaces)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.2.2

CWECWE-347

PublishedJun 28, 2026

Last enriched2h ago

FreeHSM C Incorrect ECDSA Signature Handling Vulnerability

Description

Affected Products

Related News (1 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline