CVE-2026-10512
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret.
Risk Assessment
The organization may obtain an incorrect shared secret during X25519 key exchange, potentially leading to failed key agreement or attacks on communication confidentiality.
Recommendation
Update the library or software using the X25519 x86_64 assembly implementation to a version that fixes the final modular reduction (masking the most significant bit).
Original NVD description (English source)
The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret. The final carry-propagation chains in the x64 and AVX2 reduction routines could overflow into the top bit, and the high limb was not masked afterward, so the 255-bit field element was left non-canonical.

