CVE-2026-1229
Received Received - Intake
Incorrect Output Vulnerability in CIRCL ecc/p384 CombinedMult Function

Publication date: 2026-02-24

Last updated on: 2026-03-03

Assigner: Cloudflare, Inc.

Description
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-03-03
Generated
2026-05-07
AI Q&A
2026-02-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-1229
EUVD
EUVD-2026-7384
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloudflare circl to 1.6.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability is in the CombinedMult function of the CIRCL ecc/p384 package, which uses the secp384r1 elliptic curve. This function produces incorrect values for certain specific inputs due to an implementation issue.

The problem is resolved by using complete addition formulas in the function.

Importantly, ECDH and ECDSA signing operations that rely on this curve are not affected by this issue.


How can this vulnerability impact me? :

This vulnerability can cause the CombinedMult function to produce incorrect cryptographic values for certain inputs, which may lead to incorrect cryptographic computations when using the CIRCL ecc/p384 package.

However, since ECDH and ECDSA signing relying on this curve are not affected, the impact on common cryptographic operations like key exchange and digital signatures is limited.

The overall severity is low, as indicated by the CVSS base score of 2.9.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in version 1.6.3 of the CIRCL ecc/p384 package. To mitigate this vulnerability, you should update the CIRCL package to version 1.6.3 or later.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart