Acknowledged
Created: Oct 10, 2025
Updated: Oct 17, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Userspace
Issue summary: A timing side-channel which could potentially allow remote[EOL]recovery of the private key exists in the SM2 algorithm implementation on 64 bit[EOL]ARM platforms.[EOL][EOL]Impact summary: A timing side-channel in SM2 signature computations on 64 bit[EOL]ARM platforms could allow recovering the private key by an attacker..[EOL][EOL]While remote key recovery over a network was not attempted by the reporter,[EOL]timing measurements revealed a timing signal which may allow such an attack.[EOL][EOL]OpenSSL does not directly support certificates with SM2 keys in TLS, and so[EOL]this CVE is not relevant in most TLS contexts. However, given that it is[EOL]possible to add support for such certificates via a custom provider, coupled[EOL]with the fact that in such a custom provider context the private key may be[EOL]recoverable via remote timing measurements, we consider this to be a Moderate[EOL]severity issue.[EOL][EOL]The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this[EOL]issue, as SM2 is not an approved algorithm.
