CVE-2026-10512
Analyzed Analyzed - Analysis Complete

X25519 x86_64 Assembly Modular Reduction Flaw

Vulnerability report for CVE-2026-10512, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: wolfSSL Inc.

Description

The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret. The final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, so the 255-bit field element was left non-canonical.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 5.6.4 (inc) to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the X25519 x86_64 assembly implementation where the most significant bit is not cleared during the final modular reduction step.

As a result, the computed result may not be fully reduced modulo the field prime 2^255 - 19, leaving the field element in a non-canonical form.

This can produce an incorrect result from the scalar multiplication and potentially a wrong shared secret.

The issue arises because the final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, leaving the 255-bit field element non-canonical.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, you should update the wolfSSL library to a version that includes the fix for CVE-2026-10512.

The fix involves applying the patch that masks the final limb after the last carry-propagating addition in the x64 and AVX2 final reduction paths to ensure the top bit is cleared, preventing non-canonical outputs.

Ensure that your build of wolfSSL includes the patch merged on June 3, 2026, which also adds known-answer tests to validate correct outputs.

Impact Analysis

This vulnerability can lead to incorrect cryptographic computations, specifically producing wrong shared secrets during scalar multiplication in the X25519 key exchange.

Such incorrect results may weaken the security guarantees of cryptographic protocols relying on X25519, potentially compromising confidentiality or integrity of communications.

Detection Guidance

This vulnerability relates to a correctness bug in the x64 Curve25519 (X25519) assembly implementation where the final output may not be fully reduced, resulting in non-canonical field elements. Detection involves verifying whether the X25519 implementation produces fully reduced outputs.

One practical approach to detect this issue is to run known-answer tests (KATs) that check if the scalar multiplication outputs are canonical and fully reduced modulo 2^255 - 19.

Specifically, you can use the updated Curve25519 API test suite from wolfSSL that includes these KATs based on Wycheproof vectors. Running these tests on your system's wolfSSL library can reveal if the vulnerability is present.

There are no direct network commands or simple system commands provided to detect this vulnerability, as it is a cryptographic implementation correctness issue rather than a network-exposed flaw.

If you have access to the wolfSSL test suite, you can run the Curve25519 API tests that include the new KATs. For example, after building wolfSSL, run the test executable that covers Curve25519 to verify correctness.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart