Github
CVE-2026-1229
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected.
The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
AnalysisAI
Incorrect computation in CIRCL cryptographic library's CombinedMult function for secp384r1 (P-384) curve. Produces wrong elliptic curve multiplication results for specific inputs, potentially breaking ECDSA signature verification.
Technical ContextAI
CWE-682 incorrect calculation in CombinedMult for secp384r1. The CIRCL library (Cloudflare's Go cryptographic library) produces incorrect results for specific P-384 inputs, which could cause ECDSA verification to accept invalid signatures or reject valid ones.
RemediationAI
Update CIRCL library immediately. Applications using CIRCL for P-384 operations should verify cryptographic operations after update.
Supply chain vulnerability in Eclipse Theia GitHub Actions workflow. The preview.yml workflow uses pull_request_target w
Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables ma
Eigent multi-agent workflow CI pipeline (ci.yml) uses pull_request_target with checkout of untrusted PR code, enabling a
Unauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrit
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCrede
OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by
PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enab
Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore i
Authenticated users in OpenEMR through version 8.0.0 can access and modify eye exam records belonging to other patients
Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package dire
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc
Same weakness CWE-682 – Incorrect Calculation
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-q9hv-hpm4-hj6x