SecuriTricks - CVE-2026-1229

Description

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

Product(s) Impacted

Vendor	Product	Versions
Cloudflare	Circl	1.6.3, *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-682

Incorrect Calculation

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	cloudflare	circl	1.6.3	/	/	/	/	/	/	/
a	cloudflare	circl	/	/	/	/	/	/	/	/

References

https://github.com/cloudflare/circl

CVSS Score

2.9 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: HIGH
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: LOW
Exploit Maturity: PROOF_OF_CONCEPT

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:X/U:Amber

View Vector String

Timeline

Published: Feb. 24, 2026, 8:16 a.m.
Last Modified: Feb. 24, 2026, 2:13 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-1229