Description
The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret. The final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, so the 255-bit field element was left non-canonical.
Published: 2026-06-25
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The X25519 routine in the wolfSSL library contains an x86_64 assembly implementation that does not clear the most significant bit during the final modular reduction. As a result, the derived field element can remain non‑canonical, leading to an erroneous scalar multiplication result and a potentially wrong shared secret. This flaw is classified as a CWE‑682 vulnerability and could compromise the integrity of ECDH key exchanges when the affected code is executed.

Affected Systems

The vulnerability impacts the wolfSSL library, specifically the X25519 implementation on x86_64 architectures. No specific version range is provided in the advisory, so any release that includes the described assembly routine may be affected.

Risk and Exploitability

The CVSS score of 2.3 indicates a low overall risk. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. The flaw is limited to scenarios where the vulnerable code is used for X25519 scalar multiplication; it does not provide arbitrary code execution. Exploitation would likely require influencing the scalar value or the library’s use in SSL/TLS handshakes, making the attack surface narrow and the probability of exploitation relatively low.

Generated by OpenCVE AI on June 25, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest wolfSSL release that contains the patch referenced in the advisory
  • Configure wolfSSL to disable the x86_64 assembly optimization for X25519 so that the software implementation, which correctly performs canonical reduction, is used
  • Enable additional hardening options, such as forcing canonical field element checks or explicitly clearing the high bit, if supported by the library

Generated by OpenCVE AI on June 25, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret. The final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, so the 255-bit field element was left non-canonical.
Title X25519 x86_64 assembly final reduction leaves non-canonical field element
Weaknesses CWE-682
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T19:58:16.013Z

Reserved: 2026-06-01T04:32:49.584Z

Link: CVE-2026-10512

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:00:05Z

Weaknesses