CVE-2026-25793: Blocklist Bypass possible via ECDSA Signature Malleability

February 6, 2026 (updated February 7, 2026)

When using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint.

In order for this to affect a user or network, all of the following must be true:

CURVE_P256 certificates are being used
There are one or more entries on the blocklist
The certificates for those entries are signed by a trusted CA and not expired
An attacker has a copy of the private key, and corresponding certificate, for one of those blocklist entries

References

Code Behaviors & Features

Detect and mitigate CVE-2026-25793 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →