Name of the Vulnerable Software and Affected Versions curve25519-dalek (affected versions not specified)

Description The issue is related to timing variability when working with potentially secret values, such as elliptic curve scalars, which can potentially leak private keys and other secrets. This problem was discovered in the curve25519-dalek implementation, specifically in the Scalar29::sub and Scalar52::sub functions. The issue arises from the compiler optimizing away a code section, potentially introducing a branch instruction that can leak sensitive information. A similar problem was found in the Kyber reference implementation. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations As a temporary workaround, consider introducing a volatile read as an optimization barrier to prevent the compiler from optimizing away sensitive code sections. For the Scalar29::sub and Scalar52::sub functions, ensure that the mask value is not optimized away by the compiler to prevent potential information leakage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.