GHSA-89v8-3927-wfcgMediumCVSS 6.5

The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the...

Published
June 26, 2026
Last Modified
June 27, 2026

🔗 CVE IDs covered (1)

📋 Description

The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.

🔗 References (4)