Post-Quantum Cryptography Vulnerability in oqs-provider Affects TLS, X.509, and S/MIME
CVE-2024-37305

8.2HIGH

Key Information:

Vendor: Open-quantum-safe
Status: Oqs-provider
Vendor: CVE Published:; 17 June 2024

🔔 Create Open-quantum-safe Vulnerability Alert

What is CVE-2024-37305?

The oqs-provider, a component of the OpenSSL 3 cryptography library that integrates post-quantum cryptographic support, contains a vulnerability related to improper handling of length values when decoding serialized hybrid keys and signatures. This flaw, identified in the DECODE_UINT32 function, allows for the exploitation of unchecked length values, potentially resulting in application crashes or leakage of sensitive information. Affected versions require immediate attention, with a patched release available in v0.6.1. Users are advised to upgrade promptly as no workarounds exist for this issue.

Affected Version(s)

oqs-provider < 0.6.1

References

https://github.com/open-quantum-safe/oqs-provider/securit...

x_refsource_CONFIRM

https://github.com/open-quantum-safe/oqs-provider/pull/416

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2024
Vulnerability Reserved
Jun 5, 2024

CVE-2024-37305 Data

JSON