Sign In

CVE-2025-9231

ADVISORY - nist

Summary

Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms.

Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker..

While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack.

OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.

EPSS Score: 0.00015 (0.024)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-385

Covert Timing Channel

Impacted images

Advisories

Alpine

CREATED

UPDATED

ADVISORY IDCVE-2025-9231
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY
PackageTypeOS NameOS VersionAffected RangesFix Versions
alpine/opensslapkalpine3.20<3.3.5-r03.3.5-r0
alpine/opensslapkalpine3.20<3.3.5-r03.3.5-r0
alpine/opensslapkalpineedge<3.5.4-r03.5.4-r0
alpine/opensslapkalpineedge<=3.3.2-r4Not yet available
alpine/opensslapkalpineedge<=3.3.2-r5Not yet available
alpine/opensslapkalpineedge<=3.3.2-r6Not yet available
alpine/opensslapkalpineedge<=3.3.3-r0Not yet available
alpine/opensslapkalpineedge<=3.5.0-r0Not yet available
alpine/opensslapkalpineedge<=3.5.1-r0Not yet available
alpine/opensslapkalpineedge<=3.5.2-r0Not yet available
alpine/opensslapkalpineedge<=3.5.3-r0Not yet available
alpine/opensslapkalpineedge<=3.5.3-r1Not yet available
alpine/opensslapkalpineedge<=3.5.3-r2Not yet available
alpine/opensslapkalpine3.23<3.5.4-r03.5.4-r0
alpine/opensslapkalpine3.22<3.5.4-r03.5.4-r0
alpine/opensslapkalpine3.19<00
alpine/opensslapkalpine3.21<3.3.5-r03.3.5-r0
alpine/opensslapkalpine3.21<=3.3.2-r4Not yet available
alpine/opensslapkalpine3.21<=3.3.2-r5Not yet available
alpine/opensslapkalpine3.21<=3.3.2-r6Not yet available
alpine/opensslapkalpine3.21<=3.3.3-r0Not yet available
alpine/opensslapkalpine3.21<=3.3.4-r0Not yet available
alpine/opensslapkalpine3.20<=3.3.2-r1Not yet available
alpine/opensslapkalpine3.20<=3.3.2-r2Not yet available
alpine/opensslapkalpine3.20<=3.3.3-r0Not yet available
alpine/opensslapkalpine3.20<=3.3.4-r0Not yet available
alpine/opensslapkalpine3.21<3.3.5-r03.3.5-r0
alpine/opensslapkalpine3.22<3.5.4-r03.5.4-r0
alpine/opensslapkalpine3.22<=3.5.0-r0Not yet available
alpine/opensslapkalpine3.22<=3.5.1-r0Not yet available
alpine/opensslapkalpine3.22<=3.5.2-r0Not yet available
alpine/opensslapkalpine3.22<=3.5.3-r0Not yet available
alpine/opensslapkalpine3.22<=3.5.3-r1Not yet available
alpine/opensslapkalpineedge<3.5.4-r03.5.4-r0

Severity and metrics

No CVSS data available from this advisory.

NIST

CREATED

UPDATED

ADVISORY IDCVE-2025-9231
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-385

CVSS SCORE

6.5medium

Debian

CREATED

UPDATED

ADVISORY IDCVE-2025-9231
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2025-9231
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Amazon

CREATED

UPDATED

ADVISORY IDALAS2023-2025-1225
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-vphj-52vf-9m66

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-4x56-859r-prjq

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-f394-p673-w5hp

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY