CVE-2026-10097 | THREATINT

Description

wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto re-encryption check in ML-KEM-1024 decapsulation. Ciphertexts that differ from the expected re-encryption solely in bytes 1536-1567 bypass implicit rejection and are accepted as valid, breaking IND-CCA2 security. An attacker able to submit chosen ciphertexts to a decapsulation oracle that uses a static ML-KEM-1024 key, and to observe whether the genuine shared secret or the implicit-rejection secret was produced, can use this as a plaintext-checking oracle to recover the private key. A proof of concept recovered a full ML-KEM-1024 private key with approximately 98% success using roughly 350 chosen ciphertexts. The flaw is a deterministic logic error and does not rely on timing measurements.

PUBLISHED Reserved 2026-05-29 | Published 2026-06-25 | Updated 2026-06-26 | Assigner wolfSSL

HIGH: 8.3CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-697 Incorrect Comparison

Product status

Default status

unaffected

5.7.0 (semver)

affected

Credits

007bsd (https://github.com/007bsd) finder

References

github.com/wolfSSL/wolfssl/pull/10430 patch

www.wolfssl.com/docs/security-vulnerabilities/

cve.org (CVE-2026-10097)

nvd.nist.gov (CVE-2026-10097)

Download JSON