CVE-2024-36405

Name of the Vulnerable Software and Affected Versions liboqs versions prior to 0.10.1

Description A control-flow timing issue has been identified in the reference implementation of the Kyber key encapsulation mechanism in liboqs, a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. This issue can be exploited to leak secret information. A proof-of-concept local attack can leak the entire ML-KEM 512 secret key in approximately 10 minutes using end-to-end decapsulation timing measurements.

Recommendations For versions prior to 0.10.1, update to version 0.10.1 to resolve the issue. As a temporary workaround, consider using compiler options that may produce vectorized code, which does not leak secret information, however, relying on these compiler options as a workaround may not be reliable.