Critical Vulnerability Information Vulnerability Details CVE ID: CVE-2025-8556, GHSA-2x5j-vhc8-9cwm Bug ID: Bug 2371624 Product: Security Response Component: vulnerability Priority: Low Severity: Low Operating System: Linux Impact Description The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult that can lead to incorrect results in the isEqual function and when determining if a point lies on the curve. Mitigation Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) addresses the identified issues. Reporter and Timeline Reporter: OSIDB Bzimport Reported Time: 2025-06-11 00:01 UTC Last Modified: 2025-08-04 19:11 UTC