GHSA-hcgc-hfp6-58v4
A vulnerability in the ML-KEM-1024 x64 AVX2 implementation of the Fujisaki-Okamoto transform causes an implicit rejection failure that breaks IND-CCA2 security. The constant-time ciphertext comparison during decapsulation fails to compare the final 32-byte block of the ciphertext, allowing manipulated ciphertexts in that region to be accepted incorrectly. This results in decapsulation returning the real shared secret instead of rejecting the ciphertext as required by the standard.
AI Analysis
Technical Summary
The ML-KEM-1024 x64 AVX2 implementation of the Fujisaki-Okamoto transform contains a flaw where the AVX2 constant-time ciphertext comparison used during decapsulation does not include the final 32-byte block of the 1568-byte ciphertext. Because of this, ciphertexts altered only in those final bytes compare as equal to the original, causing the decapsulation process to return the actual shared secret rather than performing the implicit rejection mandated by the IND-CCA2 security standard. This breaks the intended security guarantees of the scheme.
Potential Impact
This vulnerability breaks the IND-CCA2 security property of the Fujisaki-Okamoto transform in the affected implementation, potentially allowing attackers to manipulate ciphertexts in a way that bypasses implicit rejection. As a result, decapsulation may return the real shared secret for manipulated ciphertexts, undermining the confidentiality guarantees of the cryptographic scheme. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided. Until a fix is available, users should avoid using the affected ML-KEM-1024 x64 AVX2 implementation or apply any vendor-recommended mitigations once published.
GHSA-hcgc-hfp6-58v4
Description
A vulnerability in the ML-KEM-1024 x64 AVX2 implementation of the Fujisaki-Okamoto transform causes an implicit rejection failure that breaks IND-CCA2 security. The constant-time ciphertext comparison during decapsulation fails to compare the final 32-byte block of the ciphertext, allowing manipulated ciphertexts in that region to be accepted incorrectly. This results in decapsulation returning the real shared secret instead of rejecting the ciphertext as required by the standard.
CVSS v4.0
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ML-KEM-1024 x64 AVX2 implementation of the Fujisaki-Okamoto transform contains a flaw where the AVX2 constant-time ciphertext comparison used during decapsulation does not include the final 32-byte block of the 1568-byte ciphertext. Because of this, ciphertexts altered only in those final bytes compare as equal to the original, causing the decapsulation process to return the actual shared secret rather than performing the implicit rejection mandated by the IND-CCA2 security standard. This breaks the intended security guarantees of the scheme.
Potential Impact
This vulnerability breaks the IND-CCA2 security property of the Fujisaki-Okamoto transform in the affected implementation, potentially allowing attackers to manipulate ciphertexts in a way that bypasses implicit rejection. As a result, decapsulation may return the real shared secret for manipulated ciphertexts, undermining the confidentiality guarantees of the cryptographic scheme. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided. Until a fix is available, users should avoid using the affected ML-KEM-1024 x64 AVX2 implementation or apply any vendor-recommended mitigations once published.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-hcgc-hfp6-58v4
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-10097"]
- Ecosystems
- []
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a3ef79027e9c79719ff6e72
Added to database: 06/26/2026, 22:05:04 UTC
Last enriched: 06/26/2026, 22:17:17 UTC
Last updated: 06/27/2026, 01:11:15 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.