Search for vulnerabilities
Vulnerability details: VCID-av6f-h7c6-aaaq
Vulnerability ID VCID-av6f-h7c6-aaaq
Aliases CVE-2017-9526
Summary In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-385 Covert Timing Channel
System Score Found at
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9526.html
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-9526.json
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00388 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00397 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00397 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00397 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00397 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.00402 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
epss 0.01173 https://api.first.org/data/v1/epss?cve=CVE-2017-9526
rhbs low https://bugzilla.redhat.com/show_bug.cgi?id=1459887
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9526
cvssv2 2.6 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2017-9526
cvssv3 5.9 https://nvd.nist.gov/vuln/detail/CVE-2017-9526
generic_textual Low https://ubuntu.com/security/notices/USN-3347-1
cvssv3.1 9.8 https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
generic_textual CRITICAL https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
cvssv3.1 9.8 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
generic_textual CRITICAL http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9526.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-9526.json
https://api.first.org/data/v1/epss?cve=CVE-2017-9526
https://bugzilla.suse.com/show_bug.cgi?id=1042326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9526
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=5a22de904a0a366ae79f03ff1e13a1232a89e26b
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=f9494b3f258e01b6af8bd3941ce436bcc00afc56
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5a22de904a0a366ae79f03ff1e13a1232a89e26b
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56
https://ubuntu.com/security/notices/USN-3347-1
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
http://www.debian.org/security/2017/dsa-3880
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.securityfocus.com/bid/99046
1459887 https://bugzilla.redhat.com/show_bug.cgi?id=1459887
cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*
CVE-2017-9526 https://nvd.nist.gov/vuln/detail/CVE-2017-9526
USN-3347-1 https://usn.ubuntu.com/3347-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-9526.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:H/Au:N/C:P/I:P/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-9526
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-9526
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.57046
EPSS Score 0.00388
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.