CIRCL ecc/p384 CombinedMult flaw CVE-2026-1229 Fixed v1.6.3
CVE-2026-1229 Published on February 24, 2026
Incorrect calculation in CIRCL secp384r1 CombinedMult
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.
The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
Weakness Type
Incorrect Calculation
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution.
Affected Versions
Cloudflare CIRCL:- Version CIRCL up to version 1.6.2 and below 1.6.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.