CVE-2026-1229

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-1229
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-1229.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-1229
Aliases
Downstream
Related
Published
2026-02-24T08:16:28.407Z
Modified
2026-03-11T05:53:38.182710Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

References

Affected packages

Git / github.com/cloudflare/circl

Affected ranges

Type
GIT
Repo
https://github.com/cloudflare/circl
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
24ae53c5d6f7fe18203adc125ba3ed76a38703e1
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.6.3"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.5.0
v1.6.0
v1.6.1
v1.6.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-1229.json"