From PR #711, which has been closed:
The issue is that MSVC for 32-bit targets implements 64x64->64 bit multiplications using a non-constant subroutine. The subroutine is not constant-time because it shortcuts when the high 32 bits of both multiplicands are all 0. See research.kudelskisecurity.com/2017/01/16/when-constant-time-source-may-not-save-you and also bearssl.org/ctmul.html for a broader view of the issue.
I'm opening this GitHub issue here because the underlying issue hasn't been solved. (And I've checked the compiler explorer,source:'%23include+%3Cstdint.h%3E%0A%0Auint64_t+mul(uint64_t+a,+uint64_t+b)+%7B%0A++++return+a+*+b%3B%0A%7D%0A'),l:'5',n:'0',o:'C+source+%231',t:'0')),k:50,l:'4',n:'0',o:'',s:0,t:'0'),(g:!((h:compiler,i:(compiler:vc_v19_latest_x86,deviceViewOpen:'1',filters:(b:'0',binary:'1',commentOnly:'0',demangle:'0',directives:'0',execute:'1',intel:'0',libraryCode:'0',trim:'1'),flagsViewOpen:'1',fontScale:14,fontUsePx:'0',j:1,lang:___c,libs:!(),options:'',selection:(endColumn:42,endLineNumber:6,positionColumn:42,positionLineNumber:6,selectionStartColumn:42,selectionStartLineNumber:6,startColumn:42,startLineNumber:6),source:1),l:'5',n:'0',o:'+x86+msvc+v19.latest+(Editor+%231)',t:'0')),k:50,l:'4',n:'0',o:'',s:0,t:'0')),l:'2',n:'0',o:'',t:'0')),version:4), the issue is still present on the latest msvc...)
After #1000 and #1156, this is (much?) less severe because we now support 64-bit targets on MSVC, and MSVC produces proper constant-time muls for those targets, it just outputs imul.
The best solution is probably #815.