The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret. The final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, so the 255-bit field element was left non-canonical.
{
"sources": [
{
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-10512",
"html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10512",
"imported": "2026-07-14T21:22:49.561Z",
"database_specific": {
"status": "Analyzed"
},
"id": "CVE-2026-10512",
"modified": "2026-06-26T16:53:52.440Z",
"published": "2026-06-25T20:17:09.513Z"
},
{
"html_url": "https://github.com/advisories/GHSA-gjm7-vch5-hch8",
"imported": "2026-07-14T21:23:10.146Z",
"published": "2026-06-25T21:31:30Z",
"id": "GHSA-gjm7-vch5-hch8",
"modified": "2026-06-26T18:33:51Z",
"url": "https://api.github.com/advisories/GHSA-gjm7-vch5-hch8"
},
{
"html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-39552",
"imported": "2026-07-14T21:22:51.250Z",
"published": "2026-06-25T19:58:16Z",
"id": "EUVD-2026-39552",
"modified": "2026-06-26T13:49:49Z",
"url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-39552"
}
],
"license": "CC-BY-4.0"
}