• Category: Security
  • Status: confirmed
  • Sources: zkSecurity writeup, CIRCL repository, HN discussion
  • Summary: zkSecurity published on 2026-07-07 an account of an AI-assisted audit of Cloudflare's CIRCL advanced and post-quantum cryptography library that surfaced seven genuine bugs. The findings include a Float64 precision loss in threshold RSA share computation, a DLEQ proof forgery through attacker-controlled security parameters, a BLS aggregate-signature rogue-key weakness from a missing message-distinctness check, an HPKE pre-shared-key validation bypass, an integer overflow in Lagrange coefficient computation, and a CP-ABE access-control break. Cloudflare fixed each issue and paid bounties through HackerOne. The team said humans validated every finding before disclosure.
  • Why it matters: It is concrete evidence that current models, paired with cryptography-specific prompting and human verification, can find exploitable flaws in production cryptographic code.

Send feedback on this story