Description
The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the constant‑time comparison routine used for the ML‑KEM ciphertext on ARM64 NEON architecture; it evaluates only half of the ciphertext. This short‑circuit comparison breaks the Fujisaki‑Okamoto transform’s implicit rejection requirement, thereby weakening the IND‑CCA2 security guarantees of the KEM. An attacker that can present a crafted ciphertext to a decapsulating party may cause the comparison to succeed even when the ciphertext has been altered, allowing the party to retrieve a shared secret without detection.

Affected Systems

The affected product is the wolfSSL cryptographic library distributed by wolfSSL numbers are listed in the CNA data, but the issue lies in the ARM64 NEON implementation path for the ML‑KEM operation.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. EPSS information is not available, and the vulnerability has not been listed in the CISA KEV catalog. Attackers would need to craft a modified ciphertext and deliver it to a decapsulating entity; the attack vector is therefore remote but requires knowledge of the protocol. Exploitation would allow the attacker to bypass implicit rejection checks and potentially compromise confidentiality or integrity of the shared secret in the affected code path.

Generated by OpenCVE AI on June 25, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to a version that includes the fix from pull request 10192 or later. This restores the full constant‑time comparison for ML‑KEM on ARM64 NEON.
  • If an upgrade is not immediately possible, disable NEON optimizations for KEM by compiling wolfSSL with the appropriate configuration flag, which forces the library to use the non‑optimised constant‑time comparison path.
  • Consider rotating any keys or secrets that may have been exposed by a failed implicit rejection, and monitor for abnormal decapsulation failures as an early indicator of misuse.

Generated by OpenCVE AI on June 25, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.
Title ML-KEM ARM64 NEON ciphertext comparison only compares half of the input
Weaknesses CWE-327
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-26T10:20:49.418Z

Reserved: 2026-04-15T03:08:30.514Z

Link: CVE-2026-6330

cve-icon Vulnrichment

Updated: 2026-06-26T10:20:42.712Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:15:04Z

Weaknesses
  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm