deps: update module github.com/cloudflare/circl to v1.6.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cloudflare/circl	v1.6.0 → v1.6.1

GitHub Vulnerability Alerts

CVE-2025-8556

Impact

The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.

Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.

Patches

Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.

We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.

---

Release Notes

cloudflare/circl (github.com/cloudflare/circl)

v1.6.1: CIRCL v1.6.1

Compare Source

CIRCL v1.6.1

• Fixes some point checks on the FourQ curve.
• Hybrid KEM fails on low-order points.

What's Changed

• kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in #​541
• .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in #​542
• Fixes several errors on twisted Edwards curves. by @​armfazh in #​545
• Release v1.6.1 by @​armfazh in #​546

Full Changelog: cloudflare/circl@v1.6.0...v1.6.1

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.