CVE-2026-1229
Received Received - Intake
Incorrect Output Vulnerability in CIRCL ecc/p384 CombinedMult Function

Publication date: 2026-02-24

Last updated on: 2026-03-03

Assigner: Cloudflare, Inc.

Description
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1229
EUVD
EUVD-2026-7384
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloudflare circl to 1.6.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is in the CombinedMult function of the CIRCL ecc/p384 package, which uses the secp384r1 elliptic curve. This function produces incorrect values for certain specific inputs due to an implementation issue.

The problem is resolved by using complete addition formulas in the function.

Importantly, ECDH and ECDSA signing operations that rely on this curve are not affected by this issue.

Impact Analysis

This vulnerability can cause the CombinedMult function to produce incorrect cryptographic values for certain inputs, which may lead to incorrect cryptographic computations when using the CIRCL ecc/p384 package.

However, since ECDH and ECDSA signing relying on this curve are not affected, the impact on common cryptographic operations like key exchange and digital signatures is limited.

The overall severity is low, as indicated by the CVSS base score of 2.9.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in version 1.6.3 of the CIRCL ecc/p384 package. To mitigate this vulnerability, you should update the CIRCL package to version 1.6.3 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart