CVE-2026-10512
Undergoing Analysis Undergoing Analysis - In Progress
X25519 x86_64 Assembly Modular Reduction Flaw

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: wolfSSL Inc.

Description
The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret. The final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, so the 255-bit field element was left non-canonical.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-10512
EUVD
EUVD-2026-39552
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wolfssl x25519 *
wolfssl wolfssl to 3.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the X25519 x86_64 assembly implementation where the most significant bit is not cleared during the final modular reduction step.

As a result, the computed result may not be fully reduced modulo the field prime 2^255 - 19, leaving the field element in a non-canonical form.

This can produce an incorrect result from the scalar multiplication and potentially a wrong shared secret.

The issue arises because the final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, leaving the 255-bit field element non-canonical.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, you should update the wolfSSL library to a version that includes the fix for CVE-2026-10512.

The fix involves applying the patch that masks the final limb after the last carry-propagating addition in the x64 and AVX2 final reduction paths to ensure the top bit is cleared, preventing non-canonical outputs.

Ensure that your build of wolfSSL includes the patch merged on June 3, 2026, which also adds known-answer tests to validate correct outputs.

Impact Analysis

This vulnerability can lead to incorrect cryptographic computations, specifically producing wrong shared secrets during scalar multiplication in the X25519 key exchange.

Such incorrect results may weaken the security guarantees of cryptographic protocols relying on X25519, potentially compromising confidentiality or integrity of communications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart