CVE-2025-8556

NameCVE-2025-8556
DescriptionA flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-cloudflare-circl (PTS)bullseye1.0.0+20200724-1vulnerable
bookworm1.3.1-2vulnerable
trixie1.6.1-1fixed
forky, sid1.6.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-cloudflare-circlsource(unstable)1.6.1-1

Notes

[bookworm] - golang-github-cloudflare-circl <no-dsa> (Minor issue)
[bullseye] - golang-github-cloudflare-circl <postponed> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2371624
https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
Search for package or bug name: Reporting problems