Search for vulnerabilities
Vulnerability details: VCID-fbbm-6m4a-tufb
Vulnerability ID VCID-fbbm-6m4a-tufb
Aliases CVE-2025-27587
Summary OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.
Status Disputed
Exploitability 0.5
Weighted Severity 4.8
Risk 2.4
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-27587
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.3 https://github.com/openssl/openssl/issues/24253
ssvc Track https://github.com/openssl/openssl/issues/24253
cvssv3.1 5.3 https://minerva.crocs.fi.muni.cz
ssvc Track https://minerva.crocs.fi.muni.cz
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-27587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27587
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://minerva.crocs.fi.muni.cz
24253 https://github.com/openssl/openssl/issues/24253
CVE-2025-27587 https://nvd.nist.gov/vuln/detail/CVE-2025-27587
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/openssl/openssl/issues/24253
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T16:16:27Z/ Found at https://github.com/openssl/openssl/issues/24253
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://minerva.crocs.fi.muni.cz
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T16:16:27Z/ Found at https://minerva.crocs.fi.muni.cz
Exploit Prediction Scoring System (EPSS)
Percentile 0.1533
EPSS Score 0.0005
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-08-01T11:15:23.716921+00:00 NVD CVE Status Improver Improve https://cveawg.mitre.org/api/cve/CVE-2025-27587 37.0.0
2025-07-31T09:27:27.610625+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/27xxx/CVE-2025-27587.json 37.0.0