CVE-2026-1229

EUVD-2026-7384
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in  v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
cloudflarecircl
𝑥
< 1.6.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-cloudflare-circl
jammy
needs-triage
noble
needs-triage
questing
needs-triage
Common Weakness Enumeration
References
https://github.com/cloudflare/circl