{"id":"CVE-2024-13176","details":"Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low.\n\nThe FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","modified":"2026-04-16T04:35:29.313942557Z","published":"2025-01-20T14:15:26.247Z","related":["ALSA-2025:15699","ALSA-2025:16046","CGA-3349-gw4v-v75q","SUSE-SU-2025:02042-1","SUSE-SU-2025:0345-1","SUSE-SU-2025:0349-1","SUSE-SU-2025:0356-1","SUSE-SU-2025:0387-1","SUSE-SU-2025:0388-1","SUSE-SU-2025:0390-1","SUSE-SU-2025:0430-1","SUSE-SU-2025:0613-1","SUSE-SU-2025:0613-2","SUSE-SU-2025:0613-3","SUSE-SU-2025:20233-1","SUSE-SU-2025:20406-1","SUSE-SU-2025:20464-1","USN-7264-1","openSUSE-SU-2025:14696-1"],"references":[{"type":"WEB","url":"https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded"},{"type":"WEB","url":"https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86"},{"type":"WEB","url":"https://openssl-library.org/news/secadv/20250120.txt"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/01/20/2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250124-0005/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250418-0010/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250502-0006/"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"07272b05b04836a762b4baa874958af51d513844"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"2af62e74fb59bc469506bc37eb2990ea408d9467"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"392dcb336405a0c94486aa6655057f59fd3a0902"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"4b1cb94a734a7d4ec363ac0a215a25c181e11f65"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"77c608f4c8857e63e98e66444e2e761c9627916f"}]}],"versions":["BEFORE_engine","OpenSSL_0_9_1c","OpenSSL_0_9_2b","OpenSSL_0_9_3","OpenSSL_0_9_3a","OpenSSL_0_9_3beta2","OpenSSL_0_9_4","OpenSSL_0_9_5a","OpenSSL_0_9_5a-beta1","OpenSSL_0_9_5a-beta2","OpenSSL_0_9_5beta1","OpenSSL_0_9_5beta2","OpenSSL_0_9_6-beta3","OpenSSL_1_1_0-pre1","OpenSSL_1_1_0-pre2","OpenSSL_1_1_0-pre3","OpenSSL_1_1_0-pre4","OpenSSL_1_1_0-pre5","OpenSSL_1_1_0-pre6","OpenSSL_1_1_1","OpenSSL_1_1_1-pre1","OpenSSL_1_1_1-pre2","OpenSSL_1_1_1-pre3","OpenSSL_1_1_1-pre4","OpenSSL_1_1_1-pre5","OpenSSL_1_1_1-pre6","OpenSSL_1_1_1-pre7","OpenSSL_1_1_1-pre8","OpenSSL_1_1_1-pre9","master-post-auto-reformat","master-post-reformat","master-pre-auto-reformat","master-pre-reformat","openssl-3.0.0","openssl-3.0.0-alpha1","openssl-3.0.0-alpha10","openssl-3.0.0-alpha11","openssl-3.0.0-alpha12","openssl-3.0.0-alpha13","openssl-3.0.0-alpha14","openssl-3.0.0-alpha15","openssl-3.0.0-alpha16","openssl-3.0.0-alpha17","openssl-3.0.0-alpha2","openssl-3.0.0-alpha3","openssl-3.0.0-alpha4","openssl-3.0.0-alpha5","openssl-3.0.0-alpha6","openssl-3.0.0-alpha7","openssl-3.0.0-alpha8","openssl-3.0.0-alpha9","openssl-3.0.0-beta1","openssl-3.0.0-beta2","openssl-3.0.1","openssl-3.0.10","openssl-3.0.11","openssl-3.0.12","openssl-3.0.13","openssl-3.0.14","openssl-3.0.15","openssl-3.0.2","openssl-3.0.3","openssl-3.0.4","openssl-3.0.5","openssl-3.0.6","openssl-3.0.7","openssl-3.0.8","openssl-3.0.9","openssl-3.1.0","openssl-3.1.0-alpha1","openssl-3.1.0-beta1","openssl-3.1.1","openssl-3.1.2","openssl-3.1.3","openssl-3.1.4","openssl-3.1.5","openssl-3.1.6","openssl-3.1.7","openssl-3.2.0","openssl-3.2.0-alpha1","openssl-3.2.0-alpha2","openssl-3.2.0-beta1","openssl-3.2.1","openssl-3.2.2","openssl-3.2.3","openssl-3.3.0","openssl-3.3.0-alpha1","openssl-3.3.0-beta1","openssl-3.3.1","openssl-3.3.2","openssl-3.4.0","openssl-3.4.0-alpha1","openssl-3.4.0-beta1"],"database_specific":{"vanir_signatures_modified":"2026-04-12T09:09:26Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-13176.json","vanir_signatures":[{"deprecated":false,"source":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65","target":{"file":"crypto/ec/ec_lib.c"},"id":"CVE-2024-13176-02b65757","digest":{"threshold":0.9,"line_hashes":["127754948284799574646612715291914192370","107633108841617456827974748623002941","105128839132312456559305794417964519678","220978175685594651981552750147750539139","169600024918161393316340193772684852098","117654638435679831764459313705877108896","23928219980244535399498129546065066676","293745726617568990317434370779477363519"]},"signature_version":"v1","signature_type":"Line"},{"deprecated":false,"source":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65","target":{"file":"crypto/bn/bn_exp.c","function":"BN_mod_exp_mont_consttime"},"id":"CVE-2024-13176-1033742d","digest":{"length":11318,"function_hash":"209975814518152852375258448294589197529"},"signature_version":"v1","signature_type":"Function"},{"deprecated":false,"source":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65","target":{"file":"crypto/bn/bn_exp.c"},"id":"CVE-2024-13176-17ac49d3","digest":{"threshold":0.9,"line_hashes":["173589800300154267675612065402467888493","129405406525769322493076198728768900113","136800792888609131789496600562783967119","159174750777734389295701369864010049181","158807332022056555706233351020895631932","81659307983826938737211959800551987670","65661878801926066286695416919387343632","331146051454193067843509155410151830908","106927928807750830570996030094648112881","246702777271085149088970109591189963124","13553649955201634036089378149381067019","48764857157202029741626741483796973376","50856018716436605684813922551136358229","334002642869357515784447868384854133811","63758175942037580590598196895455058189","191064388880109290899961512230526792681","25026424422371339317817700797451463299"]},"signature_version":"v1","signature_type":"Line"},{"id":"CVE-2024-13176-23514e34","source":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902","deprecated":false,"target":{"file":"crypto/bn/bn_exp.c","function":"BN_mod_exp_mont_consttime"},"digest":{"length":11318,"function_hash":"209975814518152852375258448294589197529"},"signature_version":"v1","signature_type":"Function"},{"target":{"file":"crypto/bn/bn_exp.c"},"source":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902","signature_version":"v1","id":"CVE-2024-13176-2d5a8353","digest":{"threshold":0.9,"line_hashes":["173589800300154267675612065402467888493","129405406525769322493076198728768900113","136800792888609131789496600562783967119","159174750777734389295701369864010049181","158807332022056555706233351020895631932","81659307983826938737211959800551987670","65661878801926066286695416919387343632","331146051454193067843509155410151830908","106927928807750830570996030094648112881","246702777271085149088970109591189963124","13553649955201634036089378149381067019","48764857157202029741626741483796973376","50856018716436605684813922551136358229","334002642869357515784447868384854133811","63758175942037580590598196895455058189","191064388880109290899961512230526792681","25026424422371339317817700797451463299"]},"deprecated":false,"signature_type":"Line"},{"id":"CVE-2024-13176-37feae62","source":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467","deprecated":false,"target":{"file":"include/crypto/bn.h"},"digest":{"threshold":0.9,"line_hashes":["251324203488872817167019601435108299733","40806596891362736307168808995206433787","112583956667954258596531188879431655895","138582937579070891515807629355127583885"]},"signature_version":"v1","signature_type":"Line"},{"id":"CVE-2024-13176-3e8d1eb9","source":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f","deprecated":false,"target":{"file":"crypto/ec/ec_lib.c"},"digest":{"threshold":0.9,"line_hashes":["127754948284799574646612715291914192370","107633108841617456827974748623002941","105128839132312456559305794417964519678","220978175685594651981552750147750539139","169600024918161393316340193772684852098","117654638435679831764459313705877108896","23928219980244535399498129546065066676","293745726617568990317434370779477363519"]},"signature_version":"v1","signature_type":"Line"},{"id":"CVE-2024-13176-3f42d259","source":"https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65","deprecated":false,"target":{"file":"include/crypto/bn.h"},"digest":{"threshold":0.9,"line_hashes":["251324203488872817167019601435108299733","40806596891362736307168808995206433787","112583956667954258596531188879431655895","138582937579070891515807629355127583885"]},"signature_version":"v1","signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844","id":"CVE-2024-13176-4140486d","target":{"file":"crypto/bn/bn_exp.c"},"digest":{"threshold":0.9,"line_hashes":["173589800300154267675612065402467888493","129405406525769322493076198728768900113","136800792888609131789496600562783967119","159174750777734389295701369864010049181","158807332022056555706233351020895631932","81659307983826938737211959800551987670","65661878801926066286695416919387343632","331146051454193067843509155410151830908","106927928807750830570996030094648112881","246702777271085149088970109591189963124","13553649955201634036089378149381067019","48764857157202029741626741483796973376","50856018716436605684813922551136358229","334002642869357515784447868384854133811","63758175942037580590598196895455058189","191064388880109290899961512230526792681","25026424422371339317817700797451463299"]},"deprecated":false,"signature_type":"Line"},{"id":"CVE-2024-13176-48367449","source":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844","deprecated":false,"target":{"file":"include/crypto/bn.h"},"digest":{"threshold":0.9,"line_hashes":["251324203488872817167019601435108299733","40806596891362736307168808995206433787","112583956667954258596531188879431655895","138582937579070891515807629355127583885"]},"signature_version":"v1","signature_type":"Line"},{"target":{"file":"crypto/bn/bn_exp.c"},"source":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f","signature_version":"v1","id":"CVE-2024-13176-619982cd","digest":{"threshold":0.9,"line_hashes":["173589800300154267675612065402467888493","129405406525769322493076198728768900113","136800792888609131789496600562783967119","159174750777734389295701369864010049181","158807332022056555706233351020895631932","81659307983826938737211959800551987670","65661878801926066286695416919387343632","331146051454193067843509155410151830908","106927928807750830570996030094648112881","246702777271085149088970109591189963124","13553649955201634036089378149381067019","48764857157202029741626741483796973376","50856018716436605684813922551136358229","334002642869357515784447868384854133811","63758175942037580590598196895455058189","191064388880109290899961512230526792681","25026424422371339317817700797451463299"]},"deprecated":false,"signature_type":"Line"},{"target":{"file":"include/crypto/bn.h"},"source":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f","signature_version":"v1","id":"CVE-2024-13176-75a092d4","digest":{"threshold":0.9,"line_hashes":["251324203488872817167019601435108299733","40806596891362736307168808995206433787","112583956667954258596531188879431655895","138582937579070891515807629355127583885"]},"deprecated":false,"signature_type":"Line"},{"target":{"file":"include/crypto/bn.h"},"source":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902","signature_version":"v1","id":"CVE-2024-13176-948094f9","digest":{"threshold":0.9,"line_hashes":["251324203488872817167019601435108299733","40806596891362736307168808995206433787","112583956667954258596531188879431655895","138582937579070891515807629355127583885"]},"deprecated":false,"signature_type":"Line"},{"id":"CVE-2024-13176-952fba80","source":"https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f","deprecated":false,"target":{"file":"crypto/bn/bn_exp.c","function":"BN_mod_exp_mont_consttime"},"digest":{"length":11318,"function_hash":"209975814518152852375258448294589197529"},"signature_version":"v1","signature_type":"Function"},{"target":{"file":"crypto/bn/bn_exp.c","function":"BN_mod_exp_mont_consttime"},"source":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844","signature_version":"v1","id":"CVE-2024-13176-9eef3609","digest":{"length":11318,"function_hash":"209975814518152852375258448294589197529"},"deprecated":false,"signature_type":"Function"},{"deprecated":false,"source":"https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844","target":{"file":"crypto/ec/ec_lib.c"},"id":"CVE-2024-13176-b885df34","digest":{"threshold":0.9,"line_hashes":["332405531834258800453855045674511600246","158343597431739389122396850815921490520","3701881040623673446980161294049765680","220978175685594651981552750147750539139","169600024918161393316340193772684852098","117654638435679831764459313705877108896","23928219980244535399498129546065066676","293745726617568990317434370779477363519"]},"signature_version":"v1","signature_type":"Line"},{"deprecated":false,"source":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467","target":{"file":"crypto/bn/bn_exp.c","function":"BN_mod_exp_mont_consttime"},"id":"CVE-2024-13176-cd7ba068","digest":{"length":11318,"function_hash":"209975814518152852375258448294589197529"},"signature_version":"v1","signature_type":"Function"},{"deprecated":false,"source":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467","target":{"file":"crypto/bn/bn_exp.c"},"id":"CVE-2024-13176-d57277e7","digest":{"threshold":0.9,"line_hashes":["173589800300154267675612065402467888493","129405406525769322493076198728768900113","136800792888609131789496600562783967119","159174750777734389295701369864010049181","158807332022056555706233351020895631932","81659307983826938737211959800551987670","65661878801926066286695416919387343632","331146051454193067843509155410151830908","106927928807750830570996030094648112881","246702777271085149088970109591189963124","13553649955201634036089378149381067019","48764857157202029741626741483796973376","50856018716436605684813922551136358229","334002642869357515784447868384854133811","63758175942037580590598196895455058189","191064388880109290899961512230526792681","25026424422371339317817700797451463299"]},"signature_version":"v1","signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902","id":"CVE-2024-13176-f39a6b13","target":{"file":"crypto/ec/ec_lib.c"},"digest":{"threshold":0.9,"line_hashes":["127754948284799574646612715291914192370","107633108841617456827974748623002941","105128839132312456559305794417964519678","220978175685594651981552750147750539139","169600024918161393316340193772684852098","117654638435679831764459313705877108896","23928219980244535399498129546065066676","293745726617568990317434370779477363519"]},"deprecated":false,"signature_type":"Line"},{"id":"CVE-2024-13176-fe59c5b4","source":"https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467","deprecated":false,"target":{"file":"crypto/ec/ec_lib.c"},"digest":{"threshold":0.9,"line_hashes":["332405531834258800453855045674511600246","158343597431739389122396850815921490520","3701881040623673446980161294049765680","220978175685594651981552750147750539139","169600024918161393316340193772684852098","117654638435679831764459313705877108896","23928219980244535399498129546065066676","293745726617568990317434370779477363519"]},"signature_version":"v1","signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}