[GHSA-q9hv-hpm4-hj6x] CIRCL has an incorrect calculation in secp384r1 CombinedMult

[yusuke-koyoshi]

Updates

• CVSS v4
• Severity

Comments
Current vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber Score: 2.9 (LOW)
Proposed vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/U:Amber Score: 6.3 (MEDIUM)

Removal of E:P (Exploit Maturity): Threat Metrics are intended to reflect the current threat landscape and require continuous updates. As GHSA does not maintain an ongoing update process for Threat Metrics, including a static E:P value artificially suppresses the score and may mislead consumers. Since Threat Metrics can only lower the Base score, an outdated value is more harmful than omitting it.

VA:L → VA:N: The advisory does not describe any availability impact. The incorrect calculation in CombinedMult does not cause a denial-of-service condition, so VA:L is not justified.

SC/SI/SA:L → SC/SI/SA:N: The advisory explicitly states "ECDH and ECDSA signing relying on this curve are not affected." There is no demonstrated impact on subsequent systems, making SC/SI/SA:N the appropriate value.

The "Suggest improvements" form on GitHub does not support input of Supplemental Metrics. However, the current advisory includes S:N/AU:Y/U:Amber, and since Supplemental Metrics have no effect on the CVSS score, we recommend retaining these values as-is when applying the proposed changes. The intended final vector, including Supplemental Metrics, is:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/U:Amber

[github]

Hi there @mschwarzl! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

Updates the GHSA advisory metadata to reflect an updated CVSS v4 vector and severity for the CIRCL secp384r1 CombinedMult calculation issue.

Changes:

• Updated the advisory modified timestamp.
• Updated the CVSS v4 vector in severity[].score.
• Raised overall advisory severity from LOW to MODERATE.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[shelbyc]

Hi @yusuke-koyoshi, Cloudflare is the publisher of both GHSA-q9hv-hpm4-hj6x and its corresponding CVE record, https://nvd.nist.gov/vuln/detail/CVE-2026-1229. Their CVSS of CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber is reasonable for the situation described in GHSA-q9hv-hpm4-hj6x and CVE-2026-1229. Unless Cloudflare wants to reassess their CVSS, I'm planning to keep the CVSS in GHSA-q9hv-hpm4-hj6x the way it currently is.

[yusuke-koyoshi]

Hi @shelbyc, thank you for the response.

I understand that Cloudflare is the publisher and their assessment carries weight. However, my concern here is not about the reasonableness of Cloudflare's assessment in isolation, but about a structural issue with how GitHub Advisory handles CVSS v4.0 metric groups. I raised the same concern in #5663.

Threat Metrics require continuous maintenance

CVSS v4.0 Threat Metrics (such as E:P) are designed to reflect the current threat landscape and are expected to be updated over time as conditions change. A statically set E:P that is never revisited will permanently suppress the score, potentially misleading consumers who assume the value reflects an up-to-date threat assessment. There is no mechanism or commitment — from Cloudflare or GitHub — to ensure these values are maintained going forward.

GitHub Advisory is designed around Base Metrics only

• The "Suggest improvements" form does not provide fields for Threat Metrics or Supplemental Metrics — only Base Metrics can be submitted.
• The Advisory UI displays a single score without indicating whether it is CVSS-B, CVSS-BT, CVSS-BE, or CVSS-BTE.
• There is no workflow for community contributors to propose changes to Threat or Supplemental Metrics.

Given that the platform itself is built around Base Metrics only, storing Threat Metrics in the vector string creates an inconsistency. Consumers cannot tell from the UI that the displayed score has been lowered by a Threat Metric, nor can they assess whether that Threat Metric is still current.

What a vulnerability database should provide

A vulnerability database's role is to provide the intrinsic severity of a vulnerability — that is, the CVSS-B (Base) score. Threat Metrics belong to the domain of threat intelligence and require an ongoing update process that GitHub Advisory does not currently support. If a Threat Metric is not kept up to date, it may suppress the score in a way that no longer reflects the actual threat landscape.

Base Metric corrections remain unaddressed

Separately from the Threat Metrics issue, I'd appreciate a technical response to the Base Metric corrections proposed in this PR:

• VA:L → VA:N: The advisory describes an incorrect calculation in CombinedMult, not a denial-of-service condition. What is the justification for VA:L?
• SC/SI/SA:L → SC/SI/SA:N: The advisory explicitly states "ECDH and ECDSA signing relying on this curve are not affected." What subsequent system impact justifies SC/SI/SA:L?

I'd be happy to discuss further. Thank you.