How severe is CVE-2024-36405?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2024-36405?

This is classified as CWE-208, which is a common weakness in software security.

CVE-2024-36405 - MEDIUM Severity | CVSS 5.9

Vulnerability Description

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A control-flow timing lean has been identified in the reference implementation of the Kyber key encapsulation mechanism when it is compiled with Clang 15-18 for `-Os`, `-O1`, and other compilation options. A proof-of-concept local attack on the reference implementation leaks the entire ML-KEM 512 secret key in ~10 minutes using end-to-end decapsulation timing measurements. The issue has been fixed in version 0.10.1. As a possible workaround, some compiler options may produce vectorized code that does not leak secret information, however relying on these compiler options as a workaround may not be reliable.

Related Vulnerabilities

CVE-2016-10535

MEDIUM

CVSS:5.9(Medium)

csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison This enab...

CWE-2082016

CVE-2019-13420

MEDIUM

CVSS:5.9(Medium)

Search Guard versions before 21.0 had an timing side channel issue when using the internal user database.

CWE-2082019

CVE-2019-16782

MEDIUM

CVSS:5.9(Medium)

There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions...

CWE-2082019

CVE-2019-9494

MEDIUM

CVSS:5.9(Medium)

The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain ...

CWE-2082019

CVE-2020-1926

MEDIUM

CVSS:5.9(Medium)

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue ...

CWE-2082020

CVE-2021-4294

MEDIUM

CVSS:5.9(Medium)

A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to ob...

CWE-2082021