CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-22866: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec

Description

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

Classification

CVE ID: CVE-2025-22866

Affected Products

Vendor: Go standard library

Product: crypto/internal/nistec

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.35% (scored less or equal to compared to others)

EPSS Date: 2025-03-07 (when was this score calculated)

References

https://go.dev/cl/643735
https://go.dev/issue/71383
https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
https://pkg.go.dev/vuln/GO-2025-3447

Timeline

2025-02-07 00:31:28 UTC
CVE

Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
2025-04-01 10:15:25 UTC
Tenable Plugins

EulerOS 2.0 SP13 : golang (EulerOS-SA-2025-1333)
2025-04-01 10:15:28 UTC
Tenable Plugins

EulerOS 2.0 SP13 : golang (EulerOS-SA-2025-1316)