Impact
The vulnerability resides in the constant‑time comparison routine used for the ML‑KEM ciphertext on ARM64 NEON architecture; it evaluates only half of the ciphertext. This short‑circuit comparison breaks the Fujisaki‑Okamoto transform’s implicit rejection requirement, thereby weakening the IND‑CCA2 security guarantees of the KEM. An attacker that can present a crafted ciphertext to a decapsulating party may cause the comparison to succeed even when the ciphertext has been altered, allowing the party to retrieve a shared secret without detection.
Affected Systems
The affected product is the wolfSSL cryptographic library distributed by wolfSSL numbers are listed in the CNA data, but the issue lies in the ARM64 NEON implementation path for the ML‑KEM operation.
Risk and Exploitability
The CVSS score of 6.3 indicates a moderate severity. EPSS information is not available, and the vulnerability has not been listed in the CISA KEV catalog. Attackers would need to craft a modified ciphertext and deliver it to a decapsulating entity; the attack vector is therefore remote but requires knowledge of the protocol. Exploitation would allow the attacker to bypass implicit rejection checks and potentially compromise confidentiality or integrity of the shared secret in the affected code path.
OpenCVE Enrichment