CVE-2026-6330
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path.
Risk Assessment
An attacker can supply a manipulated ciphertext that goes undetected by the recipient, bypassing the standard implicit rejection and potentially leaking key information.
Recommendation
Immediately update the ML-KEM library to a version that fixes the ciphertext comparison on ARM64 NEON. Until updated, disable NEON optimizations for this operation.
Original NVD description (English source)
The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.

