Vulnerability Description
wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto re-encryption check in ML-KEM-1024 decapsulation. Ciphertexts that differ from the expected re-encryption solely in bytes 1536-1567 bypass implicit rejection and are accepted as valid, breaking IND-CCA2 security. An attacker able to submit chosen ciphertexts to a decapsulation oracle that uses a static ML-KEM-1024 key, and to observe whether the genuine shared secret or the implicit-rejection secret was produced, can use this as a plaintext-checking oracle to recover the private key. A proof of concept recovered a full ML-KEM-1024 private key with approximately 98% success using roughly 350 chosen ciphertexts. The flaw is a deterministic logic error and does not rely on timing measurements.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wolfssl | Wolfssl | >= 5.7.0, < 5.9.2 |
Related Weaknesses (CWE)
References
- https://github.com/wolfSSL/wolfssl/pull/10430Issue TrackingPatch
- https://www.wolfssl.com/docs/security-vulnerabilities/Vendor Advisory
FAQ
What is CVE-2026-10097?
CVE-2026-10097 is a vulnerability with a CVSS score of 7.5 (HIGH). wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto re-encryption check in ML-KEM-1024 decapsulation. Ciphertext...
How severe is CVE-2026-10097?
CVE-2026-10097 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-10097?
Check the references section above for vendor advisories and patch information. Affected products include: Wolfssl Wolfssl.