CVE-2026-1229 PUBLISHED

Incorrect calculation in CIRCL secp384r1 CombinedMult

Assigner: cloudflare
Reserved: 20.01.2026 Published: 24.02.2026 Updated: 24.02.2026

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber
CVSS Score: 2.9

Product Status

Vendor Cloudflare
Product CIRCL
Versions Default: unaffected
  • affected from CIRCL up to version 1.6.2 to 1.6.3 (excl.)

Credits

  • Guido Vranken finder

References

Problem Types

  • CWE-682 Incorrect Calculation CWE