Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.9
Incorrect math in CIRCL's secp384r1 calculation
CVE-2026-1229
GHSA-q9hv-hpm4-hj6x
GHSA-q9hv-hpm4-hj6x
Summary
CIRCL's secp384r1 math library has a mistake that can produce incorrect results for certain inputs. This only affects specific calculations, not all uses of the library. Update to the latest version (v1.6.3) to fix the issue.
What to do
- Update github.com cloudflare to version 1.6.3.
- Update cloudflare github.com/cloudflare/circl to version 1.6.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | cloudflare | <= 1.6.3 | 1.6.3 |
| cloudflare | circl | <= 1.6.3 | – |
| cloudflare | github.com/cloudflare/circl | <= 1.6.3 | 1.6.3 |
Original title
CIRCL has an incorrect calculation in secp384r1 CombinedMult
Original description
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.
The bug was fixed in **[v1.6.3](https://github.com/cloudflare/circl/releases/tag/v1.6.3)**.
ECDH and ECDSA signing relying on this curve are not affected.
The bug was fixed in **[v1.6.3](https://github.com/cloudflare/circl/releases/tag/v1.6.3)**.
nvd CVSS3.1
9.8
nvd CVSS4.0
2.9
Vulnerability type
CWE-682
- https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x
- https://nvd.nist.gov/vuln/detail/CVE-2026-1229
- https://github.com/cloudflare/circl/pull/583
- https://github.com/cloudflare/circl/releases/tag/v1.6.3
- https://github.com/advisories/GHSA-q9hv-hpm4-hj6x
- https://github.com/cloudflare/circl Product
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026