VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-82wq-13vf-ufb2

Essentials
Severities (27)
References (6)
Severity details (11)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-82wq-13vf-ufb2
Aliases	CVE-2026-1229 GHSA-q9hv-hpm4-hj6x
Summary	CIRCL has an incorrect calculation in secp384r1 CombinedMult The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in [v1.6.3](https://github.com/cloudflare/circl/releases/tag/v1.6.3).
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-682

Incorrect Calculation

System	Score	Found at
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00023	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
epss	0.00023	https://api.first.org/data/v1/epss?cve=CVE-2026-1229
cvssv4	2.9	https://github.com/cloudflare/circl
generic_textual	LOW	https://github.com/cloudflare/circl
ssvc	Track	https://github.com/cloudflare/circl
cvssv4	2.9	https://github.com/cloudflare/circl/pull/583
generic_textual	LOW	https://github.com/cloudflare/circl/pull/583
cvssv4	2.9	https://github.com/cloudflare/circl/releases/tag/v1.6.3
generic_textual	LOW	https://github.com/cloudflare/circl/releases/tag/v1.6.3
cvssv4	2.9	https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x
generic_textual	LOW	https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x
cvssv4	2.9	https://nvd.nist.gov/vuln/detail/CVE-2026-1229
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2026-1229

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-1229
		https://github.com/cloudflare/circl
		https://github.com/cloudflare/circl/pull/583
		https://github.com/cloudflare/circl/releases/tag/v1.6.3
		https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x
		https://nvd.nist.gov/vuln/detail/CVE-2026-1229

No exploits are available.

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber Found at https://github.com/cloudflare/circl

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:04:09Z/ Found at https://github.com/cloudflare/circl

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber Found at https://github.com/cloudflare/circl/pull/583

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber Found at https://github.com/cloudflare/circl/releases/tag/v1.6.3

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber Found at https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber Found at https://nvd.nist.gov/vuln/detail/CVE-2026-1229

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05796
EPSS Score	0.00022
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:49.026829+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-q9hv-hpm4-hj6x/GHSA-q9hv-hpm4-hj6x.json	38.0.0