CVE-2025-22866

Feb. 21, 2025, 6:15 p.m.

4.0
Low

Description

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

Product(s) Impacted

Product Versions
Go programming language

Weaknesses

References

https://go.dev/cl/643735
https://go.dev/issue/71383
https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
https://pkg.go.dev/vuln/GO-2025-3447
https://security.netapp.com/advisory/ntap-20250221-0002/

Tags

security@golang.org
2025-02-06
CVE-2025-22866

CVSS Score

4.0 / 10

CVSS Data

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Date

  • Published: Feb. 6, 2025, 5:15 p.m.
  • Last Modified: Feb. 21, 2025, 6:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@golang.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.