cbcvebase.
CVE-2022-46392
published 2022-12-15

CVE-2022-46392: An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses…

PriorityP425medium5.3CVSS 3.1
AVNACHPRNUIRSUCHINAN
EPSS
0.79%
51.5th percentile
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.

Affected

15 ranges
VendorProductVersion rangeFixed in
armmbed_tls< 2.28.22.28.2
debianmbedtls< mbedtls 2.28.2-1 (bookworm)mbedtls 2.28.2-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
mbedmbedtls>= 0 < 2.16.9-0.1+deb11u12.16.9-0.1+deb11u1
mbedmbedtls>= 0 < 2.28.2-12.28.2-1
mbedmbedtls>= 0 < 2.28.2-12.28.2-1
mbedmbedtls>= 0 < 2.28.2-12.28.2-1
msrcazl3_qemu_8.2.0-16_on_azure_linux_3.0
msrccbl2_fluent-bit_2.0.9-1_on_cbl_mariner_2.0
msrccbl2_qemu_6.2.0-24_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_fluent-bit_1.5.2-3_on_cbl_mariner_1.0
trustedfirmwarembed_tls>= 3.0.0 < 3.3.03.3.0

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.