GHSA-q9hv-hpm4-hj6x

Suggest an improvement
Source
https://github.com/advisories/GHSA-q9hv-hpm4-hj6x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-q9hv-hpm4-hj6x/GHSA-q9hv-hpm4-hj6x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q9hv-hpm4-hj6x
Aliases
  • CVE-2026-1229
Downstream
Related
Published
2026-02-25T19:17:50Z
Modified
2026-02-26T21:58:57.533374Z
Severity
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber CVSS Calculator
Summary
CIRCL has an incorrect calculation in secp384r1 CombinedMult
Details

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in v1.6.3.

Database specific 
{
    "nvd_published_at": "2026-02-24T08:16:28Z",
    "severity": "LOW",
    "github_reviewed_at": "2026-02-25T19:17:50Z",
    "cwe_ids": [
        "CWE-682"
    ],
    "github_reviewed": true
}
References

Affected packages

Go / github.com/cloudflare/circl

Package

Name
github.com/cloudflare/circl
View open source insights on deps.dev
Purl
pkg:golang/github.com/cloudflare/circl

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-q9hv-hpm4-hj6x/GHSA-q9hv-hpm4-hj6x.json"