Information disclosure in Gnupg Libgcrypt
CVE-2017-7526
libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on…
Vulnerability class: Information Disclosure
EPSS: 0.028 (86.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N.
Affected products
- Gnupg Libgcrypt — versions 1.7.8
Weakness classification (CWE)
Public proof-of-concept exploits
References
- USN-3733-1 (x_refsource_UBUNTU, vendor-advisory)
- bugzilla.redhat.com/show_bug.cgi (x_refsource_CONFIRM)
- 1038915 (vdb-entry, x_refsource_SECTRACK)
- DSA-3960 (vendor-advisory, x_refsource_DEBIAN)
- git.gnupg.org/cgi-bin/gitweb.cgi (x_refsource_CONFIRM)
- DSA-3901 (vendor-advisory, x_refsource_DEBIAN)
- USN-3733-2 (x_refsource_UBUNTU, vendor-advisory)
- eprint.iacr.org/2017/627 (x_refsource_MISC)
- 99338 (vdb-entry, x_refsource_BID)
- [gnupg-announce] 20170629 Libgcrypt 1.7.8 released to fix CVE-2017-7526 (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2017-7526?
- CVE-2017-7526 is a medium-severity vulnerability in Gnupg Libgcrypt, classified under Information Disclosure. CVSS score: 6.1/10. Published 2018-07-26.
- How severe is CVE-2017-7526?
- Medium severity. CVSS v3 base score is 6.1 out of 10.
- Is CVE-2017-7526 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.