CVE-2026-1229 identifies a vulnerability in the Cloudflare CIRCL cryptographic library, specifically within the CombinedMult function of the ecc/p384 package that implements elliptic curve operations on the secp384r1 curve. The CombinedMult function is responsible for performing combined scalar multiplications on elliptic curve points, a critical operation in various cryptographic protocols. Due to the use of incomplete addition formulas, the function produces incorrect output values for certain input parameters. This mathematical miscalculation could potentially undermine cryptographic operations relying on this function. However, the vulnerability does not affect ECDH (Elliptic Curve Diffie-Hellman) key exchange or ECDSA (Elliptic Curve Digital Signature Algorithm) signing processes that use the same curve, indicating the flaw is localized to specific internal computations. The issue was addressed by adopting complete addition formulas in the function implementation, ensuring correct elliptic curve arithmetic. The fix was released in CIRCL version 1.6.3. The CVSS 4.0 base score is 2.9, reflecting low severity due to the high attack complexity and limited impact on confidentiality, integrity, and availability. No authentication or user interaction is required to exploit the flaw, but the complexity of triggering the incorrect calculation is high. No known exploits have been reported in the wild to date.

The incorrect calculation in the CombinedMult function could lead to erroneous cryptographic computations in applications relying on the CIRCL library's ecc/p384 package. While ECDH and ECDSA operations are unaffected, other cryptographic protocols or custom implementations using this function might experience degraded security guarantees, potentially causing subtle cryptographic failures or weakening security assurances. This could result in incorrect cryptographic proofs or failures in protocols that depend on accurate elliptic curve arithmetic. However, the overall impact is limited due to the narrow scope of affected operations and the absence of known exploits. Organizations using CIRCL versions up to 1.6.2 may face risks in specialized cryptographic applications but are unlikely to experience widespread compromise or service disruption. The vulnerability does not appear to enable direct data breaches or denial of service but could undermine trust in cryptographic correctness if left unpatched.

Organizations should promptly upgrade the Cloudflare CIRCL library to version 1.6.3 or later, where the vulnerability is fixed by implementing complete addition formulas in the CombinedMult function. Developers should audit their cryptographic code to identify any reliance on the affected ecc/p384 CombinedMult function and validate that no custom or legacy code bypasses the patched library. It is advisable to perform cryptographic validation tests to ensure correctness after upgrading. For environments where immediate upgrade is not feasible, consider isolating or disabling features that depend on the vulnerable function, if possible. Monitoring for unusual cryptographic errors or anomalies in affected systems can help detect potential exploitation attempts. Maintain awareness of updates from Cloudflare and related security advisories for any emerging exploit information or further patches.