CVE-2024-50382 Information

Description

Botan before 3.6.0 when certain LLVM versions are used has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V.

Reference

https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957 https://github.com/randombit/botan/compare/3.5.0…3.6.0 https://arxiv.org/pdf/2410.13489 https://news.ycombinator.com/item?id=41887153