Incorrect calculation in CIRCL secp384r1 CombinedMult

Vulnerability

Overview The CombinedMult function in the ecc/p384 package of the CIRCL (Cloudflare Interoperable Reusable Cryptographic Library) library, which implements the secp384r1 (P-384) elliptic curve, produces incorrect output for certain inputs [1]. The root cause is the use of incomplete point addition formulas that do not handle the point doubling case correctly [4]. The fix replaces these formulas with complete addition formulas that correctly handle all valid inputs, including edge cases [1].

Exploitation

Scenario The bug manifests only when the CombinedMult function is called with inputs that trigger the incomplete addition path. However, critical cryptographic operations that rely on P-384, namely ECDH key agreement and ECDSA signature generation, are explicitly not affected [1]. This suggests the function has a narrow scope of usage or that these higher-level protocols avoid the problematic inputs. An attacker would need to identify a system that directly utilizes the affected CombinedMult function with attacker-controlled inputs to exploit the incorrect output.

Impact

If triggered by the bug If exploited, the incorrect computation could lead to unexpected results from the CombinedMult function. The severity is limited because the library itself advises caution in production use, and the most common P-384 operations (ECDH and ECDSA) are unaffected [2]. No information is provided about whether the bug leads to security-critical failures like key recovery or signature forgery; the description only states that the value is incorrect for specific inputs [1].

Mitigation

The vulnerability is fixed in CIRCL version v1.6.3, released on the project's GitHub releases page [3]. Users should update to this version or later to eliminate the bug. There is no mention of a CVSS score or inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting limited real-world exploitation.