Search for vulnerabilities
Vulnerability details: VCID-8nqz-ezpz-27dd
Vulnerability ID VCID-8nqz-ezpz-27dd
Aliases CVE-2022-46392
Summary An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.
Status Published
Exploitability 0.5
Weighted Severity 4.8
Risk 2.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-203 Observable Discrepancy
System Score Found at
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00128 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00131 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
epss 0.00131 https://api.first.org/data/v1/epss?cve=CVE-2022-46392
cvssv3.1 5.3 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
ssvc Track https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
cvssv3.1 5.3 https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0
ssvc Track https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL/
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XMKJ5IMJEPXYAHHU56Z4P2FSYIEAESB/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XMKJ5IMJEPXYAHHU56Z4P2FSYIEAESB/
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2022-46392
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-46392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46392
4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL/
6XMKJ5IMJEPXYAHHU56Z4P2FSYIEAESB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XMKJ5IMJEPXYAHHU56Z4P2FSYIEAESB/
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
CVE-2022-46392 https://nvd.nist.gov/vuln/detail/CVE-2022-46392
v2.28.2 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
v3.3.0 https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:33:01Z/ Found at https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:33:01Z/ Found at https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:33:01Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XMKJ5IMJEPXYAHHU56Z4P2FSYIEAESB/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:33:01Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XMKJ5IMJEPXYAHHU56Z4P2FSYIEAESB/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-46392
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.31896
EPSS Score 0.00121
Published At Sept. 9, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:51:48.568589+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/46xxx/CVE-2022-46392.json 37.0.0