Antoon Purnal

**Name of the Vulnerable Software and Affected Versions** Kyber reference implementation versions prior to 9b8d306 **Description** The issue is related to a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because the `poly frommsg` function in `poly.c` does not prevent the compiler from emitting a vulnerable secret-dependent branch when compiled by LLVM Clang with certain optimization options. **Recommendations** For versions prior to 9b8d306, consider recompiling the implementation with compiler options that prevent the emission of vulnerable secret-dependent branches, or apply other mitigation measures to prevent timing side channel attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.