CVE-2024-50383

Published: Oct 23, 2024

Modified: Oct 24, 2024

PUBLISHED

Description

Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.)

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957

https://github.com/randombit/botan/compare/3.5.0...3.6.0

https://arxiv.org/pdf/2410.13489

https://news.ycombinator.com/item?id=41887153

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-50383

Description

Affected Products

References