GHSA-89v8-3927-wfcgMediumCVSS 6.5
The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the...
🔗 CVE IDs covered (1)
📋 Description
The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.