Vladimir Cherepanov

**Name of the Vulnerable Software and Affected Versions** fastecdsa versions prior to 2.3.2 **Description** The issue is related to the use of an uninitialized variable on the stack, specifically via the `curvemath mul` function in `src/curveMath.c`. This variable is used and interpreted as a user-defined type, which could lead to arbitrary `free()`, arbitrary `realloc()`, null pointer dereference, and other issues, depending on the variable's actual value. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt the allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability. **Recommendations** For versions prior to 2.3.2, update to version 2.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `curvemath mul` function in `src/curveMath.c` to minimize the risk of exploitation. Avoid using the affected function until the issue is resolved.