Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS05NzYzLTRmOTQtZ2ZjaM4AA4Ql

High
Permalink JSON

CIRCL's Kyber: timing side-channel (kyberslash2)

Affected Packages Affected Versions Fixed Versions
go:github.com/cloudflare/circl < 1.3.7 1.3.7
6,861 Dependent packages
2,787 Dependent repositories

Affected Version Ranges

All affected versions

1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6

All unaffected versions

1.3.7, 1.3.8, 1.3.9, 1.4.0, 1.5.0, 1.6.0, 1.6.1

Impact

On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key.

Does not apply to ephemeral usage, such as when used in the regular way in TLS.

Patches

Patched in 1.3.7.

References

References:

Identifiers

GHSA-9763-4f94-gfch

Risk

Severity

High

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/cloudflare/circl

Date and time

Published

over 1 year ago

Updated

about 1 year ago

API

JSON