CVE-2025-8556

LOW

CIRCL < 1.6.1 - Session Security Compromise via FourQ Elliptic Curve Point Injection

Title source: llm

Description

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

References (7)

Core 7

Core References

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2025-8556

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2371624

Various Sources

https://github.com/cloudflare/circl

Various Sources

https://github.com/cloudflare/circl/tree/v1.6.1

Various Sources

https://news.ycombinator.com/item?id=45669593

Various Sources

https://www.botanica.software/blog/cryptographic-issues-in-cloudflares-circl-fourq-implementation

Vendor Advisory

https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm

Scores

CVSS v3 3.7

EPSS 0.0045

EPSS Percentile 35.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1287

Status published

Products (28)

cloudflare/circl 0 - 1.6.1Go

Red Hat/Builds for Red Hat OpenShift

Red Hat/Custom Metric Autoscaler operator for Red Hat Openshift

Red Hat/Multicluster Global Hub

Red Hat/OpenShift Pipelines

Red Hat/OpenShift Serverless

Red Hat/OpenShift Service Mesh 3

Red Hat/Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat/Red Hat Advanced Cluster Security 4

Red Hat/Red Hat Ceph Storage 5

... and 18 more

Published Aug 06, 2025

Tracked Since Feb 18, 2026