CVE-2026-1229 | THREATINT

Description

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

PUBLISHED Reserved 2026-01-20 | Published 2026-02-24 | Updated 2026-02-24 | Assigner cloudflare

LOW: 2.9CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber

Problem types

CWE-682 Incorrect Calculation

Product status

Default status

unaffected

CIRCL up to version 1.6.2 (custom) before 1.6.3

affected

Credits

Guido Vranken finder

References

github.com/cloudflare/circl

cve.org (CVE-2026-1229)

nvd.nist.gov (CVE-2026-1229)

Download JSON