CVE-2026-1229CRITICAL 9.8EPSS p31.4%

CVE-2026-1229CVE-2026-1229

Description

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.40% probability of exploitation · percentile 31.4% · 2026-06-19T12:03:05Z
Published2026-02-24
Last modified2026-03-03

Underlying weaknesses· 1

CWE-682

References

  1. https://github.com/cloudflare/circl

1

TypeTargetConfidenceTier
WeaknessIncorrect Calculationcwe-6820%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4258
CVE
CVE-2025-40914
CVE
CVE-2024-45158
CVE
CVE-2026-3548
CVE
CVE-2026-5194
CVE
CVE-2025-12816
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.