PT-2025-4738 · Go+9 · Go+9

Rolandshoemaker

·

Published

2025-02-04

·

Updated

2026-01-30

·

CVE-2025-22866

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Go versions prior to 1.23.6 Go versions prior to 1.22.12
Description The issue concerns a security fix in the crypto/elliptic module. Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. However, it is believed that this leakage is not enough to allow recovery of the private key when P-256 is used in any well-known protocols.
Recommendations For Go versions prior to 1.23.6, update to version 1.23.6 to resolve the issue. For Go versions prior to 1.22.12, update to version 1.22.12 to resolve the issue.

Fix

Memory Leak

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-401

Related Identifiers

ALSA-2025:7466
ALT-PU-2025-10791
ALT-PU-2025-3850
ALT-PU-2025-3927
ALT-PU-2025-6549
BDU:2025-03456
BIT-GOLANG-2025-22866
CLEANSTART-2026-CR41732
CLEANSTART-2026-OJ41940
CVE-2025-22866
ECHO-2AD3-2EE4-A992
GO-2025-3447
MGASA-2025-0065
OPENSUSE-SU-2025:14735-1
OPENSUSE-SU-2025:14745-1
OPENSUSE-SU-2025:14746-1
OPENSUSE-SU-2025:14754-1
OPENSUSE-SU-2025:15030-1
OPENSUSE-SU-2025_0392-1
OPENSUSE-SU-2025_0393-1
OPENSUSE-SU-2025_0429-1
OPENSUSE-SU-2025_0431-1
RHSA-2025:3773
RHSA-2025:7326
RHSA-2025:7466
RHSA-2025_3773
RHSA-2025_7326
SUSE-SU-2025:01731-1
SUSE-SU-2025:03159-1
SUSE-SU-2025:0392-1
SUSE-SU-2025:0393-1
SUSE-SU-2025:0429-1
SUSE-SU-2025:0431-1
SUSE-SU-2025:1555-1
SUSE-SU-2025_03159-1
SUSE-SU-2025_0392-1
SUSE-SU-2025_0393-1
SUSE-SU-2025_0431-1
USN-7574-1

Affected Products

Alt Linux
Astra Linux
Debian
Go
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu