Cyber Resilience

CVE-2026-1229

Low

Published: 24 February 2026

Published
24 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 2.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:X/U:Amber
EPSS Score 0.0040 31.4th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-1229 is a low-severity Incorrect Calculation (CWE-682) vulnerability in Cloudflare Circl. Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-1229 is a vulnerability in the CombinedMult function within the CIRCL ecc/p384 package, specifically for the secp384r1 elliptic curve. This function produces an incorrect value for certain inputs due to incomplete addition formulas. The issue affects the CIRCL library developed by Cloudflare, a Go-based cryptographic library. Notably, ECDH key exchange and ECDSA signing operations relying on this curve are not impacted.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction. Attackers could provide specific inputs to trigger the faulty computation in applications using the affected function, potentially leading to high impacts on confidentiality, integrity, and availability through cryptographic miscalculations.

The bug was addressed in CIRCL version 1.6.3, released with a fix implementing complete addition formulas. Additional details are available in the project's GitHub repository at https://github.com/cloudflare/circl and the specific release notes at https://github.com/cloudflare/circl/releases/tag/v1.6.3. Security practitioners should update to v1.6.3 or later to mitigate the issue.

EU & UK References

Vulnerability details

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was…

more

fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated exploitation of the crypto implementation flaw in a library used by public-facing applications directly matches T1190; impacts are limited to specific ECC operations and exact attacker primitives (e.g., forgery vs. DoS) are not fully detailed.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2833Same vendor: Cloudflare
CVE-2026-44498Shared CWE-682
CVE-2026-2835Same vendor: Cloudflare
CVE-2026-2836Same vendor: Cloudflare
CVE-2025-26622Shared CWE-682
CVE-2026-24783Shared CWE-682
CVE-2021-3978Same vendor: Cloudflare
CVE-2026-0933Same vendor: Cloudflare
CVE-2025-0651Same vendor: Cloudflare
CVE-2026-33487Shared CWE-682

Affected Assets

cloudflare
circl
≤ 1.6.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mandates identification, reporting, and correction of software flaws like the faulty CombinedMult function in CIRCL ecc/p384 by updating to v1.6.3 or later.

detect

Enables ongoing vulnerability scanning to identify deployments using vulnerable CIRCL library versions affected by CVE-2026-1229.

prevent

Restricts execution to authorized software versions, preventing use of vulnerable CIRCL ecc/p384 prior to the v1.6.3 fix.

References