chore(deps): update module github.com/cloudflare/circl to v1.6.3 [security] (master)

[phisco-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cloudflare/circl	v1.3.7 → v1.6.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

CIRCL-Fourq: Missing and wrong validation can lead to incorrect results

CVE-2025-8556 / GHSA-2x5j-vhc8-9cwm

More information

Details

Impact

The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.

Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.

Patches

Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.

We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
• https://github.com/cloudflare/circl/tree/v1.6.1
• https://nvd.nist.gov/vuln/detail/CVE-2025-8556
• https://access.redhat.com/security/cve/CVE-2025-8556
• https://bugzilla.redhat.com/show_bug.cgi?id=2371624
• https://news.ycombinator.com/item?id=45669593
• https://www.botanica.software/blog/cryptographic-issues-in-cloudflares-circl-fourq-implementation
• https://github.com/advisories/GHSA-2x5j-vhc8-9cwm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

CIRCL has an incorrect calculation in secp384r1 CombinedMult

CVE-2026-1229 / GHSA-q9hv-hpm4-hj6x

More information

Details

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in v1.6.3.

Severity

• CVSS Score: 2.9 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber

References

• https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x
• https://nvd.nist.gov/vuln/detail/CVE-2026-1229
• https://github.com/cloudflare/circl/pull/583
• https://github.com/cloudflare/circl/releases/tag/v1.6.3
• https://github.com/advisories/GHSA-q9hv-hpm4-hj6x

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

CIRCL-Fourq: Missing and wrong validation can lead to incorrect results

CVE-2025-8556 / GHSA-2x5j-vhc8-9cwm / GO-2025-3754

More information

Details

Impact

The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.

Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.

Patches

Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.

We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
• https://nvd.nist.gov/vuln/detail/CVE-2025-8556
• https://access.redhat.com/security/cve/CVE-2025-8556
• https://bugzilla.redhat.com/show_bug.cgi?id=2371624
• https://github.com/cloudflare/circl
• https://github.com/cloudflare/circl/tree/v1.6.1
• https://news.ycombinator.com/item?id=45669593
• https://www.botanica.software/blog/cryptographic-issues-in-cloudflares-circl-fourq-implementation

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl

CVE-2025-8556 / GHSA-2x5j-vhc8-9cwm / GO-2025-3754

More information

Details

CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl

Severity

Unknown

References

• https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
• https://github.com/cloudflare/circl/tree/v1.6.1

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

CIRCL has an incorrect calculation in secp384r1 CombinedMult

CVE-2026-1229 / GHSA-q9hv-hpm4-hj6x / GO-2026-4550

More information

Details

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in v1.6.3.

Severity

• CVSS Score: 2.9 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber

References

• https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x
• https://nvd.nist.gov/vuln/detail/CVE-2026-1229
• https://github.com/cloudflare/circl/pull/583
• https://github.com/cloudflare/circl
• https://github.com/cloudflare/circl/releases/tag/v1.6.3

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl

CVE-2026-1229 / GHSA-q9hv-hpm4-hj6x / GO-2026-4550

More information

Details

CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl

Severity

Unknown

References

• https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x
• https://nvd.nist.gov/vuln/detail/CVE-2026-1229
• https://github.com/cloudflare/circl/pull/583
• https://github.com/cloudflare/circl/releases/tag/v1.6.3

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

cloudflare/circl (github.com/cloudflare/circl)

v1.6.3: CIRCL v1.6.3

Compare Source

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

• sign/mldsa: Check opts for nil value by @​armfazh in #​582
• ecc/p384: Point addition must handle point doubling case. by @​armfazh in #​583
• Release CIRCL v1.6.3 by @​armfazh in #​584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

v1.6.2: CIRCL v1.6.2

Compare Source

CIRCL v1.6.2

• New SLH-DSA, improvements in ML-DSA for arm64.
• Tested compilation on WASM.

What's Changed

• Optimize pairing product computation by moving exponentiations to G1. by @​dfaranha in #​547
• sign: Adding SLH-DSA signature by @​armfazh in #​512
• Update code generators to CIRCL v1.6.1. by @​armfazh in #​548
• ML-DSA: Add preliminary Wycheproof test vectors by @​bwesterb in #​552
• go fmt by @​bwesterb in #​554
• gz-compressing test vectors, use of HexBytes and ReadGzip functions. by @​armfazh in #​555
• group: Removes use of elliptic Marshal and Unmarshal functions. by @​armfazh in #​556
• Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by @​bwesterb in #​559
• Update to golangci-lint v2 by @​bwesterb in #​560
• Preparation for ARM64 Implementation of poly operations for dilithium package. by @​elementrics in #​562
• prepare power2Round for custom implementations in assembly by @​elementrics in #​564
• ARM64 implementation for poly.PackLe16 by @​elementrics in #​563
• add arm64 version of polyMulBy2toD by @​elementrics in #​565
• add arm64 version of polySub by @​elementrics in #​566
• group: add byteLen method for short groups and RandomScalar uses rand.Int by @​armfazh in #​568
• add arm64 version of poly.Add/Sub by @​elementrics in #​572
• group: Adding cryptobyte marshaling to scalars by @​armfazh in #​569
• Bumping up to Go1.25 by @​armfazh in #​574
• ci: Including WASM compilation. by @​armfazh in #​577
• Revert to using package-declared HPKE errors for shortkem instead of standard library errors by @​harshiniwho in #​578
• Release v1.6.2 by @​armfazh in #​579

New Contributors

• @​dfaranha made their first contribution in #​547
• @​elementrics made their first contribution in #​562
• @​harshiniwho made their first contribution in #​578

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

v1.6.1: CIRCL v1.6.1

Compare Source

CIRCL v1.6.1

• Fixes some point checks on the FourQ curve.
• Hybrid KEM fails on low-order points.

What's Changed

• kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in #​541
• .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in #​542
• Fixes several errors on twisted Edwards curves. by @​armfazh in #​545
• Release v1.6.1 by @​armfazh in #​546

Full Changelog: cloudflare/circl@v1.6.0...v1.6.1

v1.6.0: CIRCL v1.6.0

Compare Source

CIRCL v1.6.0

New!

• Prio3 Verifiable Distributed Aggregation Function (draft-irtf-cfrg-vdaf).
• X-Wing: general-purpose hybrid post-quantum KEM (draft-connolly-cfrg-xwing-kem)

What's Changed

• Add OIDs to ML-DSA by @​bwesterb in #​519
• Adds Prio3 a set of verifiable distributed aggregation functions. by @​armfazh in #​522
• Run semgrep cronjob only in upstream repository. by @​armfazh in #​526
• X-Wing PQ/T hybrid by @​bwesterb in #​471
• ckem: move crypto/elliptic to crypto/ecdh by @​MingLLuo in #​529
• hpke: Update HPKE code to use ecdh stdlib package. by @​armfazh in #​530
• prio3: Adds polynomial multiplication using NTT by @​armfazh in #​532
• Add Prio3 in readme. by @​armfazh in #​527

New Contributors

• @​MingLLuo made their first contribution in #​529

Full Changelog: cloudflare/circl@v1.5.0...v1.6.0

v1.5.0: CIRCL v1.5.0

Compare Source

CIRCL v1.5.0

New: ML-DSA, Module-Lattice-based Digital Signature Algorithm.

What's Changed

• kem: add X25519MLKEM768 TLS hybrid KEM by @​bwesterb in #​510
• Create semgrep.yml by @​hrushikeshdeshpande in #​514
• repo: Some fixes reported by CodeQL by @​armfazh in #​515
• Add ML-DSA (FIPS204) by @​bwesterb in #​480
• sign/mldsa: Add test for ML-DSA signature verification. by @​armfazh in #​517
• Release v1.5.0 by @​armfazh in #​518

New Contributors

• @​hrushikeshdeshpande made their first contribution in #​514

Full Changelog: cloudflare/circl@v1.4.0...v1.5.0

v1.4.0: CIRCL v1.4.0

Compare Source

CIRCL v1.4.0

Changes

New: ML-KEM compatible with FIPS-203.

Commit History

• eddilithium3: fix typos by @​bwesterb in #​503
• Add ML-KEM (FIPS 203). by @​bwesterb in #​470
• Add ML-KEM decapsulation key check. by @​bwesterb in #​507
• Preparing for release v1.4.0 by @​armfazh in #​508

Full Changelog: cloudflare/circl@v1.3.9...v1.4.0

v1.3.9: CIRCL v1.3.9

Compare Source

CIRCL v1.3.9

Changes:

• Fix bug on BLS12381 decoding elements.

Commit History

• dilithium: fix typo by @​bwesterb in #​498
• bls12381: Detects invalid prefix in G1 and G2 serialized elements by @​armfazh in #​500
• Preparing CIRCL release v1.3.9 by @​armfazh in #​501

Full Changelog: cloudflare/circl@v1.3.8...v1.3.9

v1.3.8: CIRCL v1.3.8

Compare Source

CIRCL v1.3.8

New

• BLS Signatures on top of BLS12-381.
• Adopt faster squaring in pairings.
• BlindRSA compliant with RFC9474.
• (Verifiable) Secret Sharing compatible with the Group interface (elliptic curves).

Notice

• Update on cpabe/tkn20 ciphertexts, read more at https://github.com/cloudflare/circl/wiki/tkn20-Ciphertext-Format-(v1.3.8)

What's Changed

• Implement Granger-Scott faster squaring in the cyclotomic subgroup. by @​armfazh in #​449
• Updates avo and CIRCL's own dependency. by @​armfazh in #​474
• Updating documentation for OPRF package. by @​armfazh in #​475
• group: removes order method from group interface by @​armfazh in #​356
• zk/dleq: Adding DLEQ proofs for Qn, the subgroup of squares in (Z/nZ)* by @​armfazh in #​451
• Reduce x/crypto and x/sys versions to match Go 1.21 by @​Lekensteyn in #​476
• Bump GitHub Actions versions and use Go 1.22 and 1.21 by @​Lekensteyn in #​477
• Adding rule for constant values by @​armfazh in #​478
• Add BLS signatures over BLS12-381 by @​armfazh in #​446
• group: Implements Shamir and Feldman secret sharing. by @​armfazh in #​348
• blindrsa: add support for all variants of RFC9474 by @​armfazh in #​479
• Explicitly installs Go with version before CodeQL analysis. by @​armfazh in #​481
• Bumps golangci-lint action by @​armfazh in #​485
• ecc/bls12381: Ensures pairing operations don't overwrite their input by @​armfazh in #​494
• Align to the purego build tag, removing noasm build tag by @​mattyclarkson in #​492
• cpabe: Serializing ciphertext with 32-bit prefixes. by @​armfazh in #​490

New Contributors

• @​mattyclarkson made their first contribution in #​492

Full Changelog: cloudflare/circl@v1.3.7...v1.3.8

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[phisco-renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.21 -> 1.22.0
go (toolchain)	1.21.6 -> 1.23.10

[phisco-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.mod

Command failed: install-tool golang $(grep -oP ^toolchain go\K.+ go.mod)