CVE-2026-10097

EUVD-2026-39553

25.06.2026, 20:17

ML-KEM-1024 x64 AVX2 implicit rejection failure in the Fujisaki-Okamoto transform breaks IND-CCA2 security, allowing decapsulation to deviate from the implicit-rejection behavior required by the standard. The AVX2 constant-time ciphertext comparison used during decapsulation never compared the final 32-byte block of the 1568-byte ML-KEM-1024 ciphertext, so a ciphertext manipulated only in those final bytes would compare as equal and decapsulation returned the real shared secret instead of performing the required implicit rejection.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
wolfSSL	CNA	6.3 MEDIUM	NETWORK	HIGH	NONE	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
wolfssl	wolfssl	5.7.0 ≤ 𝑥 ≤ 5.9.1	CNA

Common Weakness Enumeration

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

References

https://github.com/wolfSSL/wolfssl/pull/10430

https://www.wolfssl.com/docs/security-vulnerabilities/