CVE-2026-1229

Aliases:GHSA-q9hv-hpm4-hj6xGO-2026-4550

Advisory lineage Upstream: 0 Downstream: 7

Downstream

MGASA-2026-0147 OPENSUSE-SU-2026:10313-1 OPENSUSE-SU-2026:10486-1 OPENSUSE-SU-2026:10613-1 OPENSUSE-SU-2026:10803-1 SUSE-SU-2026:1042-1

Analyzed

Published: 24 Feb 2026, 07:58

Last modified:24 Feb 2026, 15:10

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

0.03% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

24 Feb 2026, 07:58

Published

Vulnerability first disclosed

24 Feb 2026, 15:10

Last Modified

Vulnerability information updated

Description

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

CVSS Metrics

v4.0•LOW•Score: 2.9CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber
v4.0•LOW•Score: 2.9CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:X/U:Amber
v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.03%• Percentile: 8%

Techniques & Countermeasures

CWE-682•Incorrect Calculation
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Affected Systems

cloudflare•circl
≥ CIRCL up to version 1.6.2, < 1.6.3 | < 1.6.3
github.com/cloudflare•circl
< 1.6.3