diff --git a/.audit/oberstet_fix_1856.md b/.audit/oberstet_fix_1856.md
new file mode 100644
index 000000000..c624e973c
--- /dev/null
+++ b/.audit/oberstet_fix_1856.md
@@ -0,0 +1,8 @@
+- [ ] I did **not** use any AI-assistance tools to help create this pull request.
+- [x] I **did** use AI-assistance tools to *help* create this pull request.
+- [x] I have read, understood and followed the projects' [AI Policy](https://github.com/crossbario/autobahn-python/blob/main/AI_POLICY.md) when creating code, documentation etc. for this pull request.
+
+Submitted by: @oberstet
+Date: 2026-06-16
+Related issue(s): #1856
+Branch: oberstet:1856
diff --git a/.cicd b/.cicd
index 8f520a97a..f77ca2b6a 160000
--- a/.cicd
+++ b/.cicd
@@ -1 +1 @@
-Subproject commit 8f520a97afec7321f5d5a38a2d7ccc965a592a2a
+Subproject commit f77ca2b6a3ac1399bcd24c3ccc674cc68e85273f
diff --git a/docs/changelog.rst b/docs/changelog.rst
index c9ea74e3f..d662da1ea 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -26,6 +26,8 @@ Changelog
 
 * Bump shared ``.ai`` (wamp-ai) and ``.cicd`` (wamp-cicd) submodules to match zlmdb exactly (#1853)
 * Fix ``scripts/update_flatbuffers.sh`` git-version capture for submodule checkouts (``.git`` is a file, not a directory) (#1853)
+* Bump the ``.cicd`` (wamp-cicd) submodule to pick up the script/shell-injection fix in the shared ``identifiers.yml`` reusable workflow (untrusted GitHub event fields are now passed via ``env:`` as quoted data with a fail-closed branch-name allowlist) (#1856)
+* Fail wheel builds hard when NVX was requested (``AUTOBAHN_USE_NVX``) but the CFFI extension did not compile, instead of silently degrading to a pure-Python (``py3-none-any``) wheel. A transient native-compile crash (e.g. a ``gcc`` SIGSEGV under QEMU ARM64 emulation) now aborts the build with a non-zero exit so CI can retry it, rather than uploading a structurally valid but unintended artifact. Building with ``AUTOBAHN_USE_NVX=0`` still produces a pure-Python wheel as before (#1856)
 
 25.12.2
 -------
diff --git a/hatch_build.py b/hatch_build.py
index 97969ba60..40ed494a5 100644
--- a/hatch_build.py
+++ b/hatch_build.py
@@ -49,21 +49,44 @@ def initialize(self, version, build_data):
         built_nvx = False
         built_flatc = False
 
-        # Check if NVX build is disabled
-        if os.environ.get("AUTOBAHN_USE_NVX", "1") not in ("0", "false"):
+        # NVX (Native Vector Extensions) is an OPTIONAL accelerator: autobahn
+        # ships pure-Python fallbacks for both the XOR masker and the UTF-8
+        # validator (see autobahn.websocket.xormasker), and AUTOBAHN_USE_NVX=0
+        # is an explicitly supported configuration that yields a legitimate
+        # pure-Python (py3-none-any) wheel.
+        nvx_requested = os.environ.get("AUTOBAHN_USE_NVX", "1") not in ("0", "false")
+
+        if nvx_requested:
             # Build CFFI modules (NVX)
             built_nvx = self._build_cffi_modules(build_data)
         else:
             print("AUTOBAHN_USE_NVX is disabled, skipping CFFI build")
 
+        # When NVX was requested but no extension was produced, the CFFI compile
+        # failed silently (_build_cffi_modules swallows compile errors and just
+        # returns False). Refuse to degrade a platform wheel into a structurally
+        # valid but unintended pure-Python (py3-none-any) wheel: fail the build
+        # hard so that a transient native-compile crash (e.g. a gcc SIGSEGV
+        # under QEMU ARM64 emulation) aborts with a non-zero exit and is retried
+        # by CI, instead of being uploaded as a degraded artifact. See #1856.
+        if nvx_requested and not built_nvx:
+            raise RuntimeError(
+                "NVX CFFI extension was requested (AUTOBAHN_USE_NVX) but was not "
+                "built - refusing to emit a pure-Python (py3-none-any) autobahn "
+                "wheel. See the build log above for the underlying compile "
+                "failure. Set AUTOBAHN_USE_NVX=0 to intentionally build a "
+                "pure-Python wheel."
+            )
+
         # Build and bundle the flatc compiler (developer convenience). The
         # binary FlatBuffers schemas (reflection.bfbs, wamp.bfbs) are NOT
         # generated here: they are committed to the source tree and shipped
         # as-is, so a package build never needs to *run* flatc (required for
-        # cross-compilation - see module docstring).
+        # cross-compilation - see module docstring). flatc is best-effort and
+        # does NOT gate the wheel tag.
         built_flatc = self._build_flatc(build_data)
 
-        # If we built any extensions, mark this as a platform-specific wheel
+        # If we built any extensions, mark this as a platform-specific wheel.
         if built_nvx or built_flatc:
             build_data["infer_tag"] = True
             build_data["pure_python"] = False