CVE-2026-10097— ML-KEM-1024 x64 AVX2 incomplete cipher text comparison enables IND-CCA2 break and static private-key recovery
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10097
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ML-KEM-1024 x64 AVX2 incomplete cipher text comparison enables IND-CCA2 break and static private-key recovery
Source: NVD (National Vulnerability Database)
Vulnerability Description
wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto re-encryption check in ML-KEM-1024 decapsulation. Ciphertexts that differ from the expected re-encryption solely in bytes 1536-1567 bypass implicit rejection and are accepted as valid, breaking IND-CCA2 security. An attacker able to submit chosen ciphertexts to a decapsulation oracle that uses a static ML-KEM-1024 key, and to observe whether the genuine shared secret or the implicit-rejection secret was produced, can use this as a plaintext-checking oracle to recover the private key. A proof of concept recovered a full ML-KEM-1024 private key with approximately 98% success using roughly 350 chosen ciphertexts. The flaw is a deterministic logic error and does not rely on timing measurements.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的比较
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-10097
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10097
请登录查看更多情报信息。
Vendor Pages for CVE-2026-10097 (1)
Other References for CVE-2026-10097 (1)
Same Patch Batch · wolfSSL · 2026-06-25 · 32 CVEs total
| CVE-2026-6679 | DTLS 1.3 ACK serialization heap buffer overflow via integer truncation | |
| CVE-2026-55958 | Renesas TSIP TLS 1.3 transcript buffer out-of-bounds write in tsip_StoreMessage | |
| CVE-2026-55960 | Un-negotiated Raw Public Key (RFC 7250) accepted in place of X.509, bypassing chain valida | |
| CVE-2026-55967 | AES-GCM streaming APIs do not reject >64 GiB cumulative single messages, enabling counter | |
| CVE-2026-55961 | wolfSSL_PKCS7_verify() reports success for degenerate (certs-only) PKCS#7 with no signer | |
| CVE-2026-55962 | TLS 1.3 post-handshake authentication: server accepts Finished without client Certificate/ | |
| CVE-2026-55964 | Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA (temporary CA exem | |
| CVE-2026-8720 | HMAC-BLAKE2 final discards message when key length exceeds block size | |
| CVE-2026-12340 | Out-of-bounds heap read in SM2/SM3 certificate Subject Key Identifier computation | |
| CVE-2026-10512 | X25519 x86_64 assembly final reduction leaves non-canonical field element | |
| CVE-2026-10098 | OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status | |
| CVE-2026-10592 | Wildcard DNS SAN bypasses CA name-constraint checks | |
| CVE-2026-11310 | X.509 trust-chain bypass in wolfSSL_X509_verify_cert() via untrusted intermediate anchorin | |
| CVE-2026-11703 | Missing SNI/ALPN binding on stateful (session-ID) TLS session resumption | |
| CVE-2026-11999 | X.509 trust-chain bypass via path-depth exhaustion in wolfSSL_X509_verify_cert() | |
| CVE-2026-6329 | PKCS#12 MAC verification uses attacker-controlled comparison length | |
| CVE-2026-7532 | iPAddress name constraints not enforced when WOLFSSL_IP_ALT_NAME is undefined | |
| CVE-2026-6094 | Heap buffer overread in wc_PKCS7_DecodeEnvelopedData parsing crafted PKCS7 EnvelopedData | |
| CVE-2026-6731 | X.509 name constraint bypass via Subject CN treated as a DNS name | |
| CVE-2026-6325 | Out-of-bounds write in SetSuitesHashSigAlgo on oversized signature algorithms list |
Showing top 20 of 32 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: wolfSSL
- CVE-2026-7511
PKCS7_verify signer confusion allows forged signatures to be - CVE-2026-7532
iPAddress name constraints not enforced when WOLFSSL_IP_ALT_ - CVE-2026-8720
HMAC-BLAKE2 final discards message when key length exceeds b - CVE-2026-10098
OCSP CertID serial-number length-confusion in wolfSSL_OCSP_r - CVE-2026-11703
Missing SNI/ALPN binding on stateful (session-ID) TLS sessio
Same vendor: wolfSSL
- CVE-2026-7511
PKCS7_verify signer confusion allows forged signatures to be - CVE-2026-7532
iPAddress name constraints not enforced when WOLFSSL_IP_ALT_ - CVE-2026-8720
HMAC-BLAKE2 final discards message when key length exceeds b - CVE-2026-10098
OCSP CertID serial-number length-confusion in wolfSSL_OCSP_r - CVE-2026-11703
Missing SNI/ALPN binding on stateful (session-ID) TLS sessio
Same weakness: CWE-697
- CVE-2026-9369
NousResearch hermes-agent CLI web-dashboard web_server.py _d - CVE-2026-35040
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministi - CVE-2026-34574
Parse Server: Session field immutability bypass via falsy-va - CVE-2026-34210
mppx has Stripe charge credential replay via missing idempot - CVE-2026-32322
soroban-sdk: `Fr` scalar field equality comparison bypasses
V. Comments for CVE-2026-10097
No comments yet