CVE-2025-22866Sensitive Information Exposure in Standard Library Crypto Internal Nistec

CWE-200Sensitive Information Exposure10 documents8 sources
Severity
4.0MEDIUMNVD
EPSS
0.0%
top 94.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library Crypto Internal Nistec
Timeline
PublishedFeb 6
Latest updateJun 18

Description

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.5 | Impact: 1.4

Affected Packages1 packages

CVEListV5go_standard_library/crypto_internal_nistec1.23.0-01.23.6+2

🔴Vulnerability Details

5
OSV
golang-1.22 vulnerabilities2025-06-18
GHSA
GHSA-3whm-j4xm-rv8x: Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are l2025-02-06
OSV
Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec2025-02-06
OSV
CVE-2025-22866: Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are l2025-02-06
CVEList
Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec2025-02-06

📋Vendor Advisories

4
Ubuntu
Go vulnerabilities2025-06-18
Microsoft
Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec2025-02-11
Red Hat
crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec2025-02-06
Debian
CVE-2025-22866: golang-1.15 - Due to the usage of a variable time instruction in the assembly implementation o...2025
CVE-2025-22866 — Sensitive Information Exposure | cvebase