FKIE_CVE-2025-22866

Vulnerability from fkie_nvd - Published: 2025-02-06 17:15 - Updated: 2025-02-21 18:15
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
References
security@golang.orghttps://go.dev/cl/643735
security@golang.orghttps://go.dev/issue/71383
security@golang.orghttps://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
security@golang.orghttps://pkg.go.dev/vuln/GO-2025-3447
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20250221-0002/
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols."
    },
    {
      "lang": "es",
      "value": "Debido al uso de una instrucci\u00f3n de tiempo variable en la implementaci\u00f3n de ensamblaje de una funci\u00f3n interna, se filtra una peque\u00f1a cantidad de bits de escalares secretos en la arquitectura ppc64le. Debido a la forma en que se utiliza esta funci\u00f3n, no creemos que esta filtraci\u00f3n sea suficiente para permitir la recuperaci\u00f3n de la clave privada cuando se utiliza P-256 en cualquier protocolo conocido."
    }
  ],
  "id": "CVE-2025-22866",
  "lastModified": "2025-02-21T18:15:32.243",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-06T17:15:21.410",
  "references": [
    {
      "source": "security@golang.org",
      "url": "https://go.dev/cl/643735"
    },
    {
      "source": "security@golang.org",
      "url": "https://go.dev/issue/71383"
    },
    {
      "source": "security@golang.org",
      "url": "https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k"
    },
    {
      "source": "security@golang.org",
      "url": "https://pkg.go.dev/vuln/GO-2025-3447"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20250221-0002/"
    }
  ],
  "sourceIdentifier": "security@golang.org",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.