CVE-2026-10097
Undergoing Analysis Undergoing Analysis - In Progress
ML-KEM-1024 AVX2 Implicit Rejection Failure in Fujisaki-Okamoto Transform

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: wolfSSL Inc.

Description
ML-KEM-1024 x64 AVX2 implicit rejection failure in the Fujisaki-Okamoto transform breaks IND-CCA2 security, allowing decapsulation to deviate from the implicit-rejection behavior required by the standard. The AVX2 constant-time ciphertext comparison used during decapsulation never compared the final 32-byte block of the 1568-byte ML-KEM-1024 ciphertext, so a ciphertext manipulated only in those final bytes would compare as equal and decapsulation returned the real shared secret instead of performing the required implicit rejection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-10097
EUVD
EUVD-2026-39553
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wolfssl ml-kem-1024 *
wolfssl wolfssl to 5.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in ML-KEM-1024 x64 AVX2 implicit rejection failure breaks IND-CCA2 security by allowing decapsulation to return the real shared secret instead of performing the required implicit rejection. This cryptographic failure could potentially weaken the confidentiality guarantees of systems relying on this implementation.

However, there is no explicit information provided in the available context or resources about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, update the wolfSSL library to a version that includes the fix for the ML-KEM-1024 AVX2 implicit rejection failure.

The fix addresses the issue where the last 32 bytes of ciphertext were not properly compared during decapsulation, restoring the required implicit rejection behavior.

Ensure that you apply the patch contributed in the pull request which was tested with fuzz testing and merged into the main branch.

Executive Summary

This vulnerability involves the ML-KEM-1024 x64 AVX2 implementation of the Fujisaki-Okamoto transform, which is used in cryptographic decapsulation. The issue is an implicit rejection failure that breaks IND-CCA2 security. Specifically, during decapsulation, the AVX2 constant-time ciphertext comparison does not check the final 32-byte block of the 1568-byte ciphertext. As a result, if an attacker manipulates only those final bytes, the ciphertext comparison incorrectly returns equal, causing the decapsulation process to return the real shared secret instead of rejecting the manipulated ciphertext as required by the standard.

Impact Analysis

This vulnerability can allow an attacker to bypass the intended security checks during cryptographic decapsulation, potentially recovering the real shared secret from manipulated ciphertexts. This breaks the IND-CCA2 security guarantees, which means that the confidentiality of encrypted communications or data protected by this cryptographic scheme could be compromised under certain attack scenarios.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart