CVE-2026-10097
Modified Modified - Updated After Analysis

ML-KEM-1024 AVX2 Implicit Rejection Failure in Fujisaki-Okamoto Transform

Vulnerability report for CVE-2026-10097, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: wolfSSL Inc.

Description

wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto re-encryption check in ML-KEM-1024 decapsulation. Ciphertexts that differ from the expected re-encryption solely in bytes 1536-1567 bypass implicit rejection and are accepted as valid, breaking IND-CCA2 security. An attacker able to submit chosen ciphertexts to a decapsulation oracle that uses a static ML-KEM-1024 key, and to observe whether the genuine shared secret or the implicit-rejection secret was produced, can use this as a plaintext-checking oracle to recover the private key. A proof of concept recovered a full ML-KEM-1024 private key with approximately 98% success using roughly 350 chosen ciphertexts. The flaw is a deterministic logic error and does not rely on timing measurements.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 5.7.0 (inc) to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the ML-KEM-1024 x64 AVX2 implementation of the Fujisaki-Okamoto transform, which is used in cryptographic decapsulation. The issue is an implicit rejection failure that breaks IND-CCA2 security. Specifically, during decapsulation, the AVX2 constant-time ciphertext comparison does not check the final 32-byte block of the 1568-byte ciphertext. As a result, if an attacker manipulates only those final bytes, the ciphertext comparison incorrectly returns equal, causing the decapsulation process to return the real shared secret instead of rejecting the manipulated ciphertext as required by the standard.

Compliance Impact

The vulnerability in ML-KEM-1024 x64 AVX2 implicit rejection failure breaks IND-CCA2 security by allowing decapsulation to return the real shared secret instead of performing the required implicit rejection. This cryptographic failure could potentially weaken the confidentiality guarantees of systems relying on this implementation.

However, there is no explicit information provided in the available context or resources about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, update the wolfSSL library to a version that includes the fix for the ML-KEM-1024 AVX2 implicit rejection failure.

The fix addresses the issue where the last 32 bytes of ciphertext were not properly compared during decapsulation, restoring the required implicit rejection behavior.

Ensure that you apply the patch contributed in the pull request which was tested with fuzz testing and merged into the main branch.

Impact Analysis

This vulnerability can allow an attacker to bypass the intended security checks during cryptographic decapsulation, potentially recovering the real shared secret from manipulated ciphertexts. This breaks the IND-CCA2 security guarantees, which means that the confidentiality of encrypted communications or data protected by this cryptographic scheme could be compromised under certain attack scenarios.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart