CWE-385
AllowedCovert Timing Channel
Abstraction: Base · Status: Incomplete
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
76 vulnerabilities reference this CWE, most recent first.
GHSA-5739-39V2-5754
Vulnerability from github – Published: 2026-06-18 21:09 – Updated: 2026-06-18 21:09Impact
RSACrypt::decryptWithRSA15() (used by the RSA1_5 key-encryption algorithm) implements RSAES-PKCS1-v1_5 decryption by inspecting the padding after RSADP and throwing InvalidArgumentException as soon as the padding is malformed. It does not implement the implicit-rejection countermeasure required by RFC 3447 §7.2.2 / RFC 8017 §7.1.2 (return a deterministic pseudo-random value of the expected length on padding failure and let the downstream step fail uniformly).
From a JWE caller this yields a Bleichenbacher/Marvin padding oracle: an attacker submitting adaptively crafted encrypted_key values can distinguish (a) padding rejected, (b) padding valid but wrong CEK length, and (c) padding valid and full AEAD executed — even though JWEDecrypter returns the same false in all cases — because each path performs a measurably different amount of work, amplifiable by enlarging the ciphertext (CWE-208 timing side channel). Enough adaptive queries can recover the wrapped CEK.
Affected configurations
Applications that register RSA1_5 in their decryption AlgorithmManager and hold an RSA private key.
Patches
PKCS#1 v1.5 decryption now performs implicit rejection: on invalid padding (or unexpected recovered length) it returns a random CEK of the expected size selected in constant time, so the full content-decryption (AEAD) step always runs and fails uniformly, removing the observable difference between padding-valid and padding-invalid ciphertexts. Users are still strongly encouraged to migrate to RSA-OAEP.
Workarounds
Prefer RSA-OAEP/RSA-OAEP-256; do not enable RSA1_5 for untrusted tokens.
References
- RFC 3447 §7.2.2 / RFC 8017 §7.1.2
- Bleichenbacher (1998); Marvin attack
- CWE-208: Observable Timing Discrepancy
Résolution
Un correctif a été préparé sur une branche dédiée basée sur 3.4.x, avec des tests anti-régression dédiés (fork privé temporaire de cette advisory, PR #1).
RSA1_5 — déchiffrement PKCS#1 v1.5 avec implicit rejection en temps constant (RFC 3447 §7.2.2) : un padding invalide n'est plus distinguable d'un padding valide, neutralisant l'oracle Bleichenbacher.
Validation : php -l OK, PHPUnit vert, aucune nouvelle erreur PHPStan introduite (différentiel nul vs 3.4.x), aucun commentaire ajouté dans le code source. Après merge, cascade prévue 3.4.x → 4.0.x → 4.1.x.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "web-token/jwt-library"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "web-token/jwt-framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "web-token/jwt-library"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "web-token/jwt-library"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-208",
"CWE-385"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T21:09:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`RSACrypt::decryptWithRSA15()` (used by the `RSA1_5` key-encryption algorithm) implements RSAES-PKCS1-v1_5 decryption by inspecting the padding after RSADP and throwing `InvalidArgumentException` as soon as the padding is malformed. It does **not** implement the implicit-rejection countermeasure required by RFC 3447 \u00a77.2.2 / RFC 8017 \u00a77.1.2 (return a deterministic pseudo-random value of the expected length on padding failure and let the downstream step fail uniformly).\n\nFrom a JWE caller this yields a Bleichenbacher/Marvin padding oracle: an attacker submitting adaptively crafted `encrypted_key` values can distinguish (a) padding rejected, (b) padding valid but wrong CEK length, and (c) padding valid and full AEAD executed \u2014 even though `JWEDecrypter` returns the same `false` in all cases \u2014 because each path performs a measurably different amount of work, amplifiable by enlarging the ciphertext (CWE-208 timing side channel). Enough adaptive queries can recover the wrapped CEK.\n\n### Affected configurations\n\nApplications that register `RSA1_5` in their decryption `AlgorithmManager` and hold an RSA private key.\n\n### Patches\n\nPKCS#1 v1.5 decryption now performs implicit rejection: on invalid padding (or unexpected recovered length) it returns a random CEK of the expected size selected in constant time, so the full content-decryption (AEAD) step always runs and fails uniformly, removing the observable difference between padding-valid and padding-invalid ciphertexts. Users are still strongly encouraged to migrate to `RSA-OAEP`.\n\n### Workarounds\n\nPrefer `RSA-OAEP`/`RSA-OAEP-256`; do not enable `RSA1_5` for untrusted tokens.\n\n### References\n\n- RFC 3447 \u00a77.2.2 / RFC 8017 \u00a77.1.2\n- Bleichenbacher (1998); Marvin attack\n- CWE-208: Observable Timing Discrepancy\n\n## R\u00e9solution\n\nUn correctif a \u00e9t\u00e9 pr\u00e9par\u00e9 sur une branche d\u00e9di\u00e9e bas\u00e9e sur `3.4.x`, avec des tests anti-r\u00e9gression d\u00e9di\u00e9s (fork priv\u00e9 temporaire de cette advisory, PR #1).\n\n**RSA1_5** \u2014 d\u00e9chiffrement PKCS#1 v1.5 avec *implicit rejection* en temps constant (RFC 3447 \u00a77.2.2) : un padding invalide n\u0027est plus distinguable d\u0027un padding valide, neutralisant l\u0027oracle Bleichenbacher.\n\n**Validation :** `php -l` OK, PHPUnit vert, aucune nouvelle erreur PHPStan introduite (diff\u00e9rentiel nul vs `3.4.x`), aucun commentaire ajout\u00e9 dans le code source. Apr\u00e8s merge, cascade pr\u00e9vue `3.4.x \u2192 4.0.x \u2192 4.1.x`.",
"id": "GHSA-5739-39v2-5754",
"modified": "2026-06-18T21:09:57Z",
"published": "2026-06-18T21:09:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/web-token/jwt-framework/security/advisories/GHSA-5739-39v2-5754"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/web-token/jwt-library/GHSA-5739-39v2-5754.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/web-token/jwt-framework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle"
}
GHSA-5QXQ-95FV-WHXM
Vulnerability from github – Published: 2024-08-22 18:31 – Updated: 2024-08-22 21:31An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. Cache-timing attacks can occur due to use of base64 when decoding group session keys. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2024-45192"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T16:15:10Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. Cache-timing attacks can occur due to use of base64 when decoding group session keys. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-5qxq-95fv-whxm",
"modified": "2024-08-22T21:31:29Z",
"published": "2024-08-22T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45192"
},
{
"type": "WEB",
"url": "https://gitlab.matrix.org/matrix-org/olm"
},
{
"type": "WEB",
"url": "https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=41249371"
},
{
"type": "WEB",
"url": "https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6PFC-6M7W-M8FX
Vulnerability from github – Published: 2026-03-31 23:59 – Updated: 2026-04-28 18:19Summary
Allow-always persistence did not unwrap /usr/bin/script and similar wrappers to the actual executed target before storing trust decisions.
Impact
A user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program.
Affected Component
src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-resolution.ts
Fixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit 83da3cfe31 (infra: unwrap script wrapper approval targets).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41390"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T23:59:53Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nAllow-always persistence did not unwrap `/usr/bin/script` and similar wrappers to the actual executed target before storing trust decisions.\n\n## Impact\n\nA user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program.\n\n## Affected Component\n\n`src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-resolution.ts`\n\n## Fixed Versions\n\n- Affected: `\u003c= 2026.3.24`\n- Patched: `\u003e= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `83da3cfe31` (`infra: unwrap script wrapper approval targets`).",
"id": "GHSA-6pfc-6m7w-m8fx",
"modified": "2026-04-28T18:19:30Z",
"published": "2026-03-31T23:59:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/83da3cfe31f016841e1deedda1a604696f4c488d"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper"
}
GHSA-6PW7-QHF8-RJFF
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2025-08-29 15:30It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.
{
"affected": [],
"aliases": [
"CVE-2017-2624"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-27T18:29:00Z",
"severity": "HIGH"
},
"details": "It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.",
"id": "GHSA-6pw7-qhf8-rjff",
"modified": "2025-08-29T15:30:36Z",
"published": "2022-05-13T01:36:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2624"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2624"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/xorg/xserver/commit/d7ac755f0b618eb1259d93c8a16ec6e39a18627c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201704-03"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201710-30"
},
{
"type": "WEB",
"url": "https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96480"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037919"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-944J-8CH6-RF6X
Vulnerability from github – Published: 2024-02-05 21:30 – Updated: 2026-02-27 20:57A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "m2crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.40.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50781"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208",
"CWE-385"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-05T22:41:57Z",
"nvd_published_at": "2024-02-05T21:15:10Z",
"severity": "MODERATE"
},
"details": "A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.",
"id": "GHSA-944j-8ch6-rf6x",
"modified": "2026-02-27T20:57:08Z",
"published": "2024-02-05T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50781"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-50781"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254426"
},
{
"type": "PACKAGE",
"url": "https://gitlab.com/m2crypto/m2crypto"
},
{
"type": "WEB",
"url": "https://gitlab.com/m2crypto/m2crypto/-/issues/342"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657"
}
GHSA-9779-JFG9-FRM3
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
{
"affected": [],
"aliases": [
"CVE-2018-10844"
],
"database_specific": {
"cwe_ids": [
"CWE-327",
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-22T13:29:00Z",
"severity": "MODERATE"
},
"details": "It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.",
"id": "GHSA-9779-jfg9-frm3",
"modified": "2022-05-13T01:14:22Z",
"published": "2022-05-13T01:14:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10844"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3505"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2018-10844"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1582571"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10844"
},
{
"type": "WEB",
"url": "https://eprint.iacr.org/2018/747"
},
{
"type": "WEB",
"url": "https://gitlab.com/gnutls/gnutls/merge_requests/657"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3999-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9F4V-CW9W-G4CW
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
{
"affected": [],
"aliases": [
"CVE-2016-7056"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-10T16:29:00Z",
"severity": "MODERATE"
},
"details": "A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.",
"id": "GHSA-9f4v-cw9w-g4cw",
"modified": "2022-05-13T01:38:43Z",
"published": "2022-05-13T01:38:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7056"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3773"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-7056"
},
{
"type": "WEB",
"url": "https://seclists.org/oss-sec/2017/q1/52"
},
{
"type": "WEB",
"url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7056.html"
},
{
"type": "WEB",
"url": "https://git.openssl.org/?p=openssl.git;a=commit;h=8aed2a7548362e88e84a7feb795a3a97e8395008"
},
{
"type": "WEB",
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=8aed2a7548362e88e84a7feb795a3a97e8395008"
},
{
"type": "WEB",
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig"
},
{
"type": "WEB",
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig"
},
{
"type": "WEB",
"url": "https://eprint.iacr.org/2016/1195"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7056"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412120"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-7056"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1802"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1801"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1415"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1414"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1413"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2017:1929"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-1415.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95375"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037575"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9MRX-MQMG-GWJ9
Vulnerability from github – Published: 2025-09-30 15:30 – Updated: 2026-07-14 15:31Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms.
Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker..
While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack.
OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue.
The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.
{
"affected": [],
"aliases": [
"CVE-2025-9231"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T14:15:41Z",
"severity": "MODERATE"
},
"details": "Issue summary: A timing side-channel which could potentially allow remote\nrecovery of the private key exists in the SM2 algorithm implementation on 64 bit\nARM platforms.\n\nImpact summary: A timing side-channel in SM2 signature computations on 64 bit\nARM platforms could allow recovering the private key by an attacker..\n\nWhile remote key recovery over a network was not attempted by the reporter,\ntiming measurements revealed a timing signal which may allow such an attack.\n\nOpenSSL does not directly support certificates with SM2 keys in TLS, and so\nthis CVE is not relevant in most TLS contexts. However, given that it is\npossible to add support for such certificates via a custom provider, coupled\nwith the fact that in such a custom provider context the private key may be\nrecoverable via remote timing measurements, we consider this to be a Moderate\nseverity issue.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as SM2 is not an approved algorithm.",
"id": "GHSA-9mrx-mqmg-gwj9",
"modified": "2026-07-14T15:31:28Z",
"published": "2025-09-30T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9231"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/567f64386e43683888212226824b6a179885a0fe"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/cba616c26ac8e7b37de5e77762e505ba5ca51698"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/eed5adc9f969d77c94f213767acbb41ff923b6f4"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/fc47a2ec078912b3e914fab5734535e76c4820c2"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-585531.html"
},
{
"type": "WEB",
"url": "https://openssl-library.org/news/secadv/20250930.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/30/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/11/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C2QM-QFP9-HX5M
Vulnerability from github – Published: 2024-03-25 09:32 – Updated: 2024-03-25 09:32Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-25964"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-25T09:15:09Z",
"severity": "MODERATE"
},
"details": "Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.",
"id": "GHSA-c2qm-qfp9-hx5m",
"modified": "2024-03-25T09:32:35Z",
"published": "2024-03-25T09:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25964"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000222691/dsa-2024-062-security-update-for-dell-powerscale-onefs-for-proprietary-code-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C38W-74PG-36HR
Vulnerability from github – Published: 2023-11-28 23:28 – Updated: 2026-04-27 16:45Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
Workarounds
The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
References
This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
- https://rustsec.org/advisories/RUSTSEC-2023-0071.html
- https://people.redhat.com/~hkario/marvin/
- https://github.com/RustCrypto/RSA/issues/19
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rsa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49092"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-385"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-28T23:28:27Z",
"nvd_published_at": "2023-11-28T21:15:08Z",
"severity": "MODERATE"
},
"details": "### Impact\nDue to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.\n\n### Patches\nNo patch is yet available, however work is underway to migrate to a fully constant-time implementation.\n\n### Workarounds\nThe only currently available workaround is to avoid using the `rsa` crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.\n\n### References\nThis vulnerability was discovered as part of the \"Marvin Attack\", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.\n\n- https://rustsec.org/advisories/RUSTSEC-2023-0071.html\n- https://people.redhat.com/~hkario/marvin/\n- https://github.com/RustCrypto/RSA/issues/19",
"id": "GHSA-c38w-74pg-36hr",
"modified": "2026-04-27T16:45:08Z",
"published": "2023-11-28T23:28:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49092"
},
{
"type": "WEB",
"url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
},
{
"type": "WEB",
"url": "https://github.com/RustCrypto/RSA/issues/626"
},
{
"type": "PACKAGE",
"url": "https://github.com/RustCrypto/RSA"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2023-0071.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Marvin Attack: potential key recovery through timing sidechannels"
}
Mitigation
Whenever possible, specify implementation strategies that do not introduce time variances in operations.
Mitigation
Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker.
Mitigation
It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application.
CAPEC-462: Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.