CVE-2026-1229

CRITICAL

CIRCL ecc/p384 - Memory Corruption

Title source: llm

Description

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

References (1)

[Various Sources] https://github.com/cloudflare/circl

Scores

CVSS v3 9.8

EPSS 0.0002

EPSS Percentile 5.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-682

Status published

Affected Products (2)

cloudflare/circl < 1.6.3Go

cloudflare/circl < 1.6.3

Timeline

Published Feb 24, 2026

Tracked Since Feb 24, 2026