CVE-2024-2236
Publication date 6 March 2024
Last updated 11 July 2025
Ubuntu priority
Description
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
Read the notes from the security team
Why is this CVE low priority?
libgcrypt developers consider this to be a low severity issue
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libgcrypt11 | 25.10 questing | Not in release |
| 25.04 plucky | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 14.04 LTS trusty |
Vulnerable, fix deferred
|
|
| libgcrypt20 | 25.10 questing |
Vulnerable, fix deferred
|
| 25.04 plucky |
Vulnerable, fix deferred
|
|
| 24.04 LTS noble |
Vulnerable, fix deferred
|
|
| 22.04 LTS jammy |
Vulnerable, fix deferred
|
|
| 20.04 LTS focal |
Vulnerable, fix deferred
|
|
| 18.04 LTS bionic |
Vulnerable, fix deferred
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
Notes
mdeslaur
No upstream fix for this issue as of 2024-11-25 libgcrypt developers consider this to be a low severity issue
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.9 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
Other references
- https://access.redhat.com/security/cve/CVE-2024-2236
- https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html
- https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt
- https://dev.gnupg.org/T7136
- https://www.cve.org/CVERecord?id=CVE-2024-2236
- https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17