Top stories
AI-assisted audit finds seven real bugs in Cloudflare's CIRCL
- Category: Security
- Status: confirmed
- Sources: zkSecurity writeup, CIRCL repository, HN discussion
- Summary: zkSecurity published on 2026-07-07 an account of an AI-assisted audit of Cloudflare's CIRCL advanced and post-quantum cryptography library that surfaced seven genuine bugs. The findings include a Float64 precision loss in threshold RSA share computation, a DLEQ proof forgery through attacker-controlled security parameters, a BLS aggregate-signature rogue-key weakness from a missing message-distinctness check, an HPKE pre-shared-key validation bypass, an integer overflow in Lagrange coefficient computation, and a CP-ABE access-control break. Cloudflare fixed each issue and paid bounties through HackerOne. The team said humans validated every finding before disclosure.
- Why it matters: It is concrete evidence that current models, paired with cryptography-specific prompting and human verification, can find exploitable flaws in production cryptographic code.