CVE-2024-37880

Name of the Vulnerable Software and Affected Versions Kyber reference implementation versions prior to 9b8d306

Description The issue is related to a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because the poly frommsg function in poly.c does not prevent the compiler from emitting a vulnerable secret-dependent branch when compiled by LLVM Clang with certain optimization options.

Recommendations For versions prior to 9b8d306, consider recompiling the implementation with compiler options that prevent the emission of vulnerable secret-dependent branches, or apply other mitigation measures to prevent timing side channel attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.