CVE Catalog

CVE-2026-6330

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path.

Risk Assessment

An attacker can supply a manipulated ciphertext that goes undetected by the recipient, bypassing the standard implicit rejection and potentially leaking key information.

Recommendation

Immediately update the ML-KEM library to a version that fixes the ciphertext comparison on ARM64 NEON. Until updated, disable NEON optimizations for this operation.

Original NVD description (English source)

The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS