CVE-2024-26306

CWE-385CWE-2039 documents8 sources
Severity
5.9MEDIUM
EPSS
0.6%
top 29.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
ES Iperf3
Timeline
PublishedMay 14
Latest updateJan 21

Description

iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

NVDes/iperf3< 3.17
Debianiperf3< 3.9-1+deb11u2+2

🔴Vulnerability Details

4
OSV
iperf3 vulnerabilities2026-01-21
GHSA
GHSA-x8qh-8j65-v4j9: iPerf3 before 32024-05-14
OSV
CVE-2024-26306: iPerf3 before 32024-05-14
CVEList
CVE-2024-26306: iPerf3 before 32024-05-13

📋Vendor Advisories

4
Ubuntu
iperf3 vulnerabilities2026-01-21
Red Hat
iperf3: vulnerable to marvin attack if the authentication option is used2024-05-15
Microsoft
iPerf3 before 3.17 when used with OpenSSL before 3.2.0 as a server with RSA authentication allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attac2024-05-14
Debian
CVE-2024-26306: iperf3 - iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA aut...2024
CVE-2024-26306 (MEDIUM CVSS 5.9) | iPerf3 before 3.17 | cvebase.io