Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-w192-d7k6-h3a3
Vulnerability ID VCID-w192-d7k6-h3a3
Aliases CVE-2024-50383
Summary Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.)
Status Published
Exploitability 0.5
Weighted Severity 5.3
Risk 2.6
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.00144 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00144 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00144 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00144 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00144 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00144 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00144 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-50383
cvssv3.1 5.9 https://arxiv.org/pdf/2410.13489
ssvc Track https://arxiv.org/pdf/2410.13489
cvssv3.1 5.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.9 https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
ssvc Track https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
cvssv3.1 5.9 https://github.com/randombit/botan/compare/3.5.0...3.6.0
ssvc Track https://github.com/randombit/botan/compare/3.5.0...3.6.0
cvssv3.1 5.9 https://news.ycombinator.com/item?id=41887153
ssvc Track https://news.ycombinator.com/item?id=41887153
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-50383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50383
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1086039 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086039
2410.13489 https://arxiv.org/pdf/2410.13489
3.5.0...3.6.0 https://github.com/randombit/botan/compare/3.5.0...3.6.0
53b0cfde580e86b03d0d27a488b6c134f662e957 https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
item?id=41887153 https://news.ycombinator.com/item?id=41887153
USN-7586-1 https://usn.ubuntu.com/7586-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://arxiv.org/pdf/2410.13489
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/ Found at https://arxiv.org/pdf/2410.13489
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/ Found at https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/randombit/botan/compare/3.5.0...3.6.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/ Found at https://github.com/randombit/botan/compare/3.5.0...3.6.0
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://news.ycombinator.com/item?id=41887153
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/ Found at https://news.ycombinator.com/item?id=41887153
Exploit Prediction Scoring System (EPSS)
Percentile 0.34753
EPSS Score 0.00144
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:37:58.802955+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0