OpenSSL Vulnerability in PowerPC Architecture Exposes Private Key Information
CVE-2025-27587

5.3MEDIUM

Key Information:

Vendor: OpenSSL
Status: OpenSSL
Vendor: CVE Published:; 16 June 2025

What is CVE-2025-27587?

OpenSSL on the PowerPC architecture contains a vulnerability that can be exploited via a side-channel attack termed the Minerva attack. This involves measuring the timing of signatures generated using the EVP_DigestSign API on random messages. By analyzing the time differences in signing signatures generated with different nonce sizes, an attacker may extract the K value (nonce) utilized during signing. This could ultimately allow for private key retrieval, specifically related to the P-364 curve implementation. It's essential to note that the OpenSSL security policy states that such timing side channels, which can only be detected on the same physical system, are considered outside the threat model for the software.

References

https://github.com/openssl/openssl/issues/24253

https://minerva.crocs.fi.muni.cz

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2025
Vulnerability Reserved
Mar 3, 2025