CVE-2025-22866

Name
CVE-2025-22866
Description
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@golang.org https://go.dev/cl/643735
security@golang.org https://go.dev/issue/71383
security@golang.org https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
security@golang.org https://pkg.go.dev/vuln/GO-2025-3447
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20250221-0002/

Match rules

CPE URI Source package Min version Max version
crypto/internal/nistec >= 0 < 1.22.12
crypto/internal/nistec >= 1.23.0-0 < 1.23.6
crypto/internal/nistec >= 1.24.0-0 < 1.24.0-rc.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
go edge-community 1.23.6-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go 3.21-community 1.23.6-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed