CVE-2025-9231
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2025-09-30

Last updated on: 2026-06-02

Assigner: OpenSSL Software Foundation

Description
Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9231
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
openssl openssl 3.5.4
openssl openssl 3.0.18
openssl openssl 3.2.6
openssl openssl 3.3.5
openssl openssl 1.1.1zd
openssl openssl 3.4.3
openssl openssl 1.0.2zm
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-385 Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a timing side-channel issue in the SM2 algorithm implementation on 64-bit ARM platforms. It arises because the modular inversion operation in SM2 cryptographic computations was not performed in constant time, allowing attackers to potentially measure timing differences and recover the private key remotely. The vulnerability specifically affects SM2 signature computations and could leak sensitive key information through timing analysis. [1, 2, 3, 4]

Impact Analysis

If you use SM2 cryptographic keys on 64-bit ARM platforms, an attacker could exploit timing differences during signature computations to recover your private key remotely. This would compromise the security of your cryptographic operations, potentially allowing unauthorized access or impersonation. However, since OpenSSL does not directly support SM2 keys in TLS by default, the risk is limited to environments where custom providers add such support. [1, 2, 3, 4]

Mitigation Strategies

To mitigate this vulnerability, update your OpenSSL implementation to a version that includes the fix for CVE-2025-9231. The fix involves implementing a constant-time modular inversion algorithm in the SM2 cryptographic operations, which prevents timing side-channel attacks. Applying the relevant patches or upgrading to a version of OpenSSL that contains these commits will address the issue. [1, 2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart