{"id":"GHSA-7r92-3jgr-r65q","summary":"pyquorum: Timing side‑channel in mul_mod","details":"### Impact\nThe `mul_mod` function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can measure the time of secret‑sharing operations (e.g., via a remote service) could progressively recover the values of shares, ultimately leading to secret reconstruction.\n\n### Patches\nhttps://github.com/svvqt/pyquorum/releases/tag/v0.2.1","aliases":["CVE-2026-44368"],"modified":"2026-05-14T20:49:41.673697Z","published":"2026-05-06T22:40:15Z","database_specific":{"nvd_published_at":"2026-05-13T21:16:47Z","github_reviewed":true,"github_reviewed_at":"2026-05-06T22:40:15Z","severity":"MODERATE","cwe_ids":["CWE-208"]},"references":[{"type":"WEB","url":"https://github.com/svvqt/pyquorum/security/advisories/GHSA-7r92-3jgr-r65q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44368"},{"type":"WEB","url":"https://github.com/svvqt/pyquorum/commit/1e9ac41dd3c305c13d7a6b7d227bf325be82d730"},{"type":"PACKAGE","url":"https://github.com/svvqt/pyquorum"},{"type":"WEB","url":"https://github.com/svvqt/pyquorum/releases/tag/v0.2.1"}],"affected":[{"package":{"name":"pyquorum","ecosystem":"PyPI","purl":"pkg:pypi/pyquorum"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.2.1"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7r92-3jgr-r65q/GHSA-7r92-3jgr-r65q.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}