CVE-2025-66692 – A buffer over-read vulnerability in Trust Walle... (How to Fix)

Q: What is the severity of CVE-2025-66692?

CVE-2025-66692 has a CVSS score of 7.5 (HIGH). A buffer over-read vulnerability in Trust Wallet Core's PublicKey::verify() method allows attackers to cause Denial of Service (DoS) by sending crafted inputs. This affects applications using Trust Wallet Core for cryptographic operations before the fix. The vulnerability could crash applications relying on this library for signature verification.

📋 TL;DR

A buffer over-read vulnerability in Trust Wallet Core's PublicKey::verify() method allows attackers to cause Denial of Service (DoS) by sending crafted inputs. This affects applications using Trust Wallet Core for cryptographic operations before the fix. The vulnerability could crash applications relying on this library for signature verification.

💻 Affected Systems

Products:

Trust Wallet Core

Versions: All versions before commit 5668c67

Operating Systems: All platforms supported by Trust Wallet Core

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Trust Wallet Core library for cryptographic operations is affected.

📦 What is this software?

Trust Wallet Core by Trustwallet

View all CVEs affecting Trust Wallet Core →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to service unavailability, potentially disrupting cryptocurrency wallet operations and transaction processing.

🟠

Likely Case

Application instability or crashes when processing maliciously crafted signature verification requests, causing temporary service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in place, though the underlying vulnerability remains.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending crafted input to trigger the buffer over-read, which is relatively straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 5668c67 and later

Vendor Advisory: https://github.com/trustwallet/wallet-core/commit/5668c67

Restart Required: Yes

Instructions:

1. Update Trust Wallet Core to commit 5668c67 or later. 2. Rebuild any applications using the library. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement additional input validation before calling PublicKey::verify() to reject malformed inputs.

🧯 If You Can't Patch

Implement rate limiting on signature verification endpoints to reduce DoS impact
Deploy application-level monitoring to detect and alert on repeated verification failures

🔍 How to Verify

Check if Vulnerable:

Check if your Trust Wallet Core version is older than commit 5668c67 by examining the git commit hash or version metadata.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify the commit hash includes 5668c67 or later, and test signature verification with known good and malformed inputs.

📡 Detection & Monitoring

Log Indicators:

Repeated application crashes
Segmentation fault errors in logs
Abnormal termination of wallet services

Network Indicators:

Spike in failed signature verification requests
Unusual patterns in cryptographic API calls

SIEM Query:

source="application.log" AND ("segmentation fault" OR "buffer over-read" OR "PublicKey::verify")

📊 Metadata

CVE ID: CVE-2025-66692

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-126

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: January 20, 2026

Last Updated: January 30, 2026

🔗 References

https://gist.github.com/inkman97/b791189338f73b758c31a7db3cd50c2d Exploit,Third Party Advisory
https://github.com/trustwallet/wallet-core/commit/5668c67 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66692, you might also want to check these: