The Kyber reference implementation before 9b8d306, when compiled by LLVM Clang through 18.x with some common optimization options, has a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because poly_frommsg in poly.c does not prevent Clang from emitting a vulnerable secret-dependent branch.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2024-06-10T00:00:00
Updated: 2024-08-02T03:57:39.987Z
Reserved: 2024-06-10T00:00:00
Link: CVE-2024-37880
Vulnrichment
Updated: 2024-07-19T20:23:55.739Z
NVD
Status : Modified
Published: 2024-06-10T02:15:47.160
Modified: 2024-11-21T09:24:27.287
Link: CVE-2024-37880
Redhat
No data.