GHSA-gjm7-vch5-hch8
A vulnerability exists in the X25519 x86_64 assembly implementation where the most significant bit is not cleared during the final modular reduction. This results in the computed field element potentially being in a non-canonical form, causing incorrect scalar multiplication outcomes and possibly wrong shared secrets. The issue stems from the final carry-propagation chains overflowing into the top bit without proper masking.
AI Analysis
Technical Summary
The X25519 x86_64 assembly code fails to clear the most significant bit during the final modular reduction step modulo the prime 2^255 - 19. This failure leaves the field element in a non-canonical form, which can cause incorrect results in scalar multiplication operations and potentially produce incorrect shared secrets. The root cause is that the final carry-propagation chains in the x64 and AVX2 reduction routines may overflow into the top bit, and the high limb is not masked afterward, violating the expected 255-bit field element representation.
Potential Impact
The vulnerability can cause incorrect scalar multiplication results and potentially wrong shared secrets in cryptographic operations using the affected X25519 implementation. This may undermine the correctness of cryptographic protocols relying on this scalar multiplication but does not directly indicate a compromise or leakage of secret data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
GHSA-gjm7-vch5-hch8
Description
A vulnerability exists in the X25519 x86_64 assembly implementation where the most significant bit is not cleared during the final modular reduction. This results in the computed field element potentially being in a non-canonical form, causing incorrect scalar multiplication outcomes and possibly wrong shared secrets. The issue stems from the final carry-propagation chains overflowing into the top bit without proper masking.
CVSS v4.0
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The X25519 x86_64 assembly code fails to clear the most significant bit during the final modular reduction step modulo the prime 2^255 - 19. This failure leaves the field element in a non-canonical form, which can cause incorrect results in scalar multiplication operations and potentially produce incorrect shared secrets. The root cause is that the final carry-propagation chains in the x64 and AVX2 reduction routines may overflow into the top bit, and the high limb is not masked afterward, violating the expected 255-bit field element representation.
Potential Impact
The vulnerability can cause incorrect scalar multiplication results and potentially wrong shared secrets in cryptographic operations using the affected X25519 implementation. This may undermine the correctness of cryptographic protocols relying on this scalar multiplication but does not directly indicate a compromise or leakage of secret data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-gjm7-vch5-hch8
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-10512"]
- Ecosystems
- []
- Database Specific Severity
- LOW
- Cvss Version
- 4.0
Threat ID: 6a3ef79027e9c79719ff6e77
Added to database: 06/26/2026, 22:05:04 UTC
Last enriched: 06/26/2026, 22:17:21 UTC
Last updated: 06/27/2026, 01:11:14 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.