CVE-2025-22866
Published: February 8, 2025Last modified: February 14, 2025
Description
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | NONE |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Notes
The CVE is specific only to the ppc64le architecture which we do not support.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | go | Not affected (1.19.7-r0) |
| Stream | go | Not affected (1.20.5-r2) |