CVE-2026-1229 - Vulnerability Details - OpenCVE

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cloudflare	Circl

No data.

No data.

References

Link	Providers
https://github.com/cloudflare/circl

History

Wed, 25 Feb 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cloudflare Cloudflare circl
Vendors & Products		Cloudflare Cloudflare circl

Tue, 24 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Feb 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
Title		Incorrect calculation in CIRCL secp384r1 CombinedMult
Weaknesses		CWE-682
References		https://github.com/cloudflare/circl
Metrics		cvssV4_0 `{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2026-02-24T07:58:54.406Z

Updated: 2026-02-24T15:10:21.738Z

Reserved: 2026-01-20T13:09:57.206Z

Link: CVE-2026-1229

Vulnrichment

Updated: 2026-02-24T15:06:03.406Z

NVD

Status : Awaiting Analysis

Published: 2026-02-24T08:16:28.407

Modified: 2026-02-24T14:13:49.320

Link: CVE-2026-1229

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1229", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2026-01-20T13:09:57.206Z", "datePublished": "2026-02-24T07:58:54.406Z", "dateUpdated": "2026-02-24T15:10:21.738Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Go"], "product": "CIRCL", "repo": "https://github.com/cloudflare/circl", "vendor": "Cloudflare", "versions": [{"lessThan": "1.6.3", "status": "affected", "version": "CIRCL up to version 1.6.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Guido Vranken"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><div><div><div><p>The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.<br>ECDH and ECDSA signing relying on this curve are not affected.</p><p>The bug was fixed in <strong><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/circl/releases/tag/v1.6.3\">v1.6.3</a></strong>.</p></div></div></div></div></div><div><div><div><div><br></div></div></div></div><br>"}], "value": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 ."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 2.9, "baseSeverity": "LOW", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-682", "description": "CWE-682 Incorrect Calculation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2026-02-24T07:58:54.406Z"}, "references": [{"url": "https://github.com/cloudflare/circl"}], "source": {"discovery": "EXTERNAL"}, "title": "Incorrect calculation in CIRCL secp384r1 CombinedMult", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T15:04:09.395394Z", "id": "CVE-2026-1229", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T15:10:21.738Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1229", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T15:04:09.395394Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T15:06:03.406Z"}}], "cna": {"title": "Incorrect calculation in CIRCL secp384r1 CombinedMult", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Guido Vranken"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.9, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/cloudflare/circl", "vendor": "Cloudflare", "product": "CIRCL", "versions": [{"status": "affected", "version": "CIRCL up to version 1.6.2", "lessThan": "1.6.3", "versionType": "custom"}], "platforms": ["Go"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/cloudflare/circl"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .", "supportingMedia": [{"type": "text/html", "value": "<div><div><div><div><div><p>The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.<br>ECDH and ECDSA signing relying on this curve are not affected.</p><p>The bug was fixed in <strong><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/circl/releases/tag/v1.6.3\">v1.6.3</a></strong>.</p></div></div></div></div></div><div><div><div><div><br></div></div></div></div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-682", "description": "CWE-682 Incorrect Calculation"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2026-02-24T07:58:54.406Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1229", "state": "PUBLISHED", "dateUpdated": "2026-02-24T15:10:21.738Z", "dateReserved": "2026-01-20T13:09:57.206Z", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "datePublished": "2026-02-24T07:58:54.406Z", "assignerShortName": "cloudflare"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 ."}], "id": "CVE-2026-1229", "lastModified": "2026-02-24T14:13:49.320", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:X/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2026-02-24T08:16:28.407", "references": [{"source": "cna@cloudflare.com", "url": "https://github.com/cloudflare/circl"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-682"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}