CVE-2026-10512

UNKNOWN 0.0

X25519 x86_64 assembly final reduction leaves non-canonical field element

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret. The final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, so the 255-bit field element was left non-canonical.

CWE	CWE-682
Vendor	wolfssl
Product	wolfssl
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for wolfssl wolfssl

Be the first to know when new unknown vulnerabilities affecting wolfssl wolfssl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

wolfSSL / wolfSSL

5.6.4 ≤ 5.9.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/wolfSSL/wolfssl/pull/10536 wolfssl.com: https://www.wolfssl.com/docs/security-vulnerabilities/

Credits

Haruki Oyama