CVE-2026-10097 in wolfSSL
Summary
by MITRE • 06/25/2026
ML-KEM-1024 x64 AVX2 implicit rejection failure in the Fujisaki-Okamoto transform breaks IND-CCA2 security, allowing decapsulation to deviate from the implicit-rejection behavior required by the standard. The AVX2 constant-time ciphertext comparison used during decapsulation never compared the final 32-byte block of the 1568-byte ML-KEM-1024 ciphertext, so a ciphertext manipulated only in those final bytes would compare as equal and decapsulation returned the real shared secret instead of performing the required implicit rejection.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability described represents a critical flaw in the ML-KEM-1024 implementation that undermines fundamental security guarantees of the post-quantum cryptographic algorithm. This issue specifically affects the Fujisaki-Okamoto transform, which is designed to provide IND-CCA2 security for NIST PQC finalist Kyber. The flaw manifests as an implicit rejection failure during decapsulation operations on x64 systems utilizing AVX2 instruction set extensions. The vulnerability stems from an incomplete constant-time comparison mechanism that fails to examine the final 32-byte block of the 1568-byte ciphertext structure, creating a potential attack vector that violates core cryptographic security assumptions.
The technical implementation flaw directly relates to CWE-707 and CWE-1243, which address improper handling of cryptographic operations and weak cryptographic implementations respectively. When the AVX2 optimized comparison routine processes ciphertexts during decapsulation, it executes a constant-time operation but omits the final 32-byte segment that contains critical verification data. This omission occurs because the implementation only compares the first 1536 bytes of the 1568-byte ciphertext structure, leaving the last 32 bytes unverified during the equality check. The result is that manipulated ciphertexts which differ only in their final bytes can pass the comparison test and successfully decapsulate, returning the legitimate shared secret instead of triggering the required implicit rejection mechanism.
The operational impact of this vulnerability extends beyond simple cryptographic weakness to encompass potential compromise of key exchange integrity within systems relying on ML-KEM-1024 for post-quantum security. This flaw violates the fundamental principles of IND-CCA2 security by allowing attackers to craft ciphertexts that bypass the implicit rejection protocol, potentially enabling adaptive chosen-ciphertext attacks. The vulnerability is particularly concerning in environments where ML-KEM-1024 is used for secure communications, key establishment, or digital signatures, as it creates opportunities for adversaries to manipulate encrypted data without detection while maintaining the appearance of successful decryption.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1593 which involves reconnaissance of cryptographic implementations, and could be leveraged by attackers to perform cryptanalysis against systems using affected implementations. The implicit rejection mechanism is crucial for maintaining security margins in KEM constructions, as it prevents attackers from exploiting the relationship between ciphertexts and shared secrets through carefully crafted manipulations. The specific nature of this flaw means that attackers need only modify the final 32 bytes of a valid ciphertext to potentially exploit the vulnerability, making detection difficult and exploitation straightforward once the attack vector is understood.
Mitigation strategies must include immediate code fixes that ensure complete constant-time comparison of all ciphertext segments during decapsulation operations. System administrators should implement comprehensive testing procedures to verify correct implementation of the Fujisaki-Okamoto transform, particularly focusing on edge cases involving boundary conditions in AVX2 optimized routines. The fix requires modifications to the comparison algorithm to guarantee that all 1568 bytes are examined during equality checks, eliminating the possibility of bypassing the implicit rejection mechanism through targeted manipulation of the final 32-byte block. Additionally, organizations should consider implementing cryptographic validation procedures that include testing for timing variations and constant-time behavior in their security testing protocols to prevent similar issues from arising in other cryptographic implementations.