CVE-2024-50383 — Observable Discrepancy in Project Botan

CWE-203 — Observable Discrepancy9 documents6 sources

Severity

5.9MEDIUMNVD

OSV5.3

EPSS

0.2%

top 61.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Botan Project Botan Debian Botan

Timeline

PublishedOct 23

Latest updateJun 23

Description

Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.)

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/botan< botan 2.19.3+dfsg-1+deb12u1 (bookworm)

▶NVDbotan_project/botan< 3.6.0

▶Debianbotan_project/botan< 2.19.3+dfsg-1+deb12u1+1

▶Ubuntubotan_project/botan< 2.19.1+dfsg-2ubuntu1+esm1+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

botan vulnerabilities↗2025-06-23

▶

GHSA

GHSA-m6p4-vhgw-8c9c: Botan before 3↗2024-10-23

▶

OSV

CVE-2024-50383: Botan before 3↗2024-10-23

▶

📋Vendor Advisories

Ubuntu

Botan vulnerabilities↗2025-06-23

▶

Debian

CVE-2024-50383: botan - Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced s...↗2024

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32884 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-32877 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-32883 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶