The Kyber reference implementation before 9b8d306, when compiled by LLVM Clang through 18.x with some common optimization options, has a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because poly_frommsg in poly.c does not prevent Clang from emitting a vulnerable secret-dependent branch.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-06-10T00:00:00

Updated: 2024-08-02T03:57:39.987Z

Reserved: 2024-06-10T00:00:00

Link: CVE-2024-37880

cve-icon Vulnrichment

Updated: 2024-07-19T20:23:55.739Z

cve-icon NVD

Status : Modified

Published: 2024-06-10T02:15:47.160

Modified: 2024-11-21T09:24:27.287

Link: CVE-2024-37880

cve-icon Redhat

No data.