microsoft · azurelinux-security · Mar 3, 2026 · Mar 3, 2026 · Mar 20, 2026
@@ -0,0 +1,41 @@
+From 2a91b328968b2f9d0e39aac8852af38cfdce5b0f Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <hi@filippo.io>
+Date: Sun, 15 Feb 2026 22:00:22 +0100
+Subject: [PATCH] extra: initialize receiver in MultiScalarMult
+
+(*Point).MultiScalarMult failed to initialize its receiver.
+
+If the method is called on an initialized point that is not the identity
+point, MultiScalarMult produces an incorrect result.
+
+If the method is called on an uninitialized point, the behavior is
+undefined. In particular, if the receiver is the zero value,
+MultiScalarMult returns an invalid point that compares Equal to every
+point.
+
+This was independently reported by @WeebDataHoarder and @shaharcohen1.
+
+Fixes CVE-2026-26958
+Fixes GHSA-fw7p-63qq-7hpr
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb
+---
+ vendor/filippo.io/edwards25519/extra.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/vendor/filippo.io/edwards25519/extra.go b/vendor/filippo.io/edwards25519/extra.go
+index d152d68f..ab2e44a5 100644
+--- a/vendor/filippo.io/edwards25519/extra.go
++++ b/vendor/filippo.io/edwards25519/extra.go
+@@ -265,6 +265,7 @@ func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point {
+ 	tmp1 := &projP1xP1{}
+ 	tmp2 := &projP2{}
+ 	// Lookup-and-add the appropriate multiple of each input point
++	v.Set(NewIdentityPoint())
+ 	for j := range tables {
+ 		tables[j].SelectInto(multiple, digits[j][63])
+ 		tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords
+-- 
+2.45.4
+
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.31.0
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -31,9 +31,11 @@ Patch16:        CVE-2025-47911.patch
 Patch17:        CVE-2025-58190.patch
 Patch18:        CVE-2026-2303.patch
 Patch19:        CVE-2026-26014.patch
+
 # Patch added based on customer request https://microsoft.visualstudio.com/OS/_workitems/edit/61041768
 # Fix was introduced 1.37.2, this patch can be removed once we update to 1.37.2 or later
 Patch20:        cisco_telegraf_bug61041768.patch
+Patch21:        CVE-2026-26958.patch
 
 BuildRequires:  golang
 BuildRequires:  systemd-devel
@@ -98,6 +100,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Tue Mar 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-17
+- Patch for CVE-2026-26958
+
 * Fri Feb 27 2026 Sindhu Karri <lakarri@microsoft.com> - 1.31.0-16
 - Added patch to fix the issue reported in https://microsoft.visualstudio.com/OS/_workitems/edit/61041768
   Fix in telegraf to support cisco telemetry plugin that collects telemetry data from cisco NXOS switches.