CVE-2026-6330

Description

The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.

References

• https://github.com/wolfSSL/wolfssl/pull/10192
• https://www.wolfssl.com/docs/security-vulnerabilities/