Monthly
Compiler-induced timing side channel in Mbed TLS through 4.0.0 and TF-PSA-Crypto through 1.0.0 allows information disclosure of RSA private keys and CBC/ECB-decrypted plaintext when LLVM's select-optimize feature is enabled during compilation. The vulnerability arises from compiler optimization that violates constant-time implementation guarantees, potentially exposing cryptographic material to timing analysis attacks despite developers' explicit use of constant-time code patterns.
Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability in OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Rated medium severity (CVSS 4.1), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was found in Ruby. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Compiler-induced timing side channel in Mbed TLS through 4.0.0 and TF-PSA-Crypto through 1.0.0 allows information disclosure of RSA private keys and CBC/ECB-decrypted plaintext when LLVM's select-optimize feature is enabled during compilation. The vulnerability arises from compiler optimization that violates constant-time implementation guarantees, potentially exposing cryptographic material to timing analysis attacks despite developers' explicit use of constant-time code patterns.
Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability in OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Rated medium severity (CVSS 4.1), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was found in Ruby. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.