CVE-2024-13176 | Timing side-channel in ECDSA signature computation

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Published: 2025-01-20 Last update: 2026-04-15 Assigner: [email protected] Source: [email protected]
NVD Status:DeferredCVE State: published
View at NVD, CVE.org, EUVD

CVE-2024-13176 is rated Low Risk (25.9/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.10%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-13176

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 0.55% 0.10% -0.45%
2 2025-11-18 0.07% 0.55% +0.48%
3 2025-06-30 0.07%

Full EPSS history (6 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-13176

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.1 3.1 MEDIUM
CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Click to expand
Attack vector (AV:P)
Hands-on access—USB, keyboard, opening the case—not something you do purely over the wire.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 0.7 3.4 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2024-13176

OS Trackers for CVE-2024-13176

vendor priority summary link
alpine CVE-2024-13176: 1 source package rows (openssl); 196 state rows across 6 repos (3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 9, open 187. https://security.alpinelinux.org/vuln/CVE-2024-13176
debian not yet assigned CVE-2024-13176 not yet assigned priority: Debian including 2 source packages (edk2, openssl), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 8, open 2. https://security-tracker.debian.org/tracker/CVE-2024-13176
redhat low https://access.redhat.com/security/cve/CVE-2024-13176
suse medium CVE-2024-13176 severity moderate: SUSE including 551 source package names (0.0.17-1.1:libopenssl1_1-1.1.1w-150600.5.12.2, 0.0.17-1.1:libopenssl3-3.1.4-150600.5.24.1, …), 1634 product×package rows across 460 product lines (Container bci/dotnet-aspnet, Container bci/dotnet-runtime, … (460 product lines)): Fixed 1260, Known Affected 221, Known Not Affected 153. https://www.suse.com/security/cve/CVE-2024-13176/
ubuntu low CVE-2024-13176 low priority: Ubuntu including 5 source packages (edk2, nodejs, openssl, openssl-fips, openssl1.0), 45 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): needs-triage 13, DNE 11, released 11, not-affected 8, ignored 1, needed 1. https://ubuntu.com/security/CVE-2024-13176

Affected software / configurations for CVE-2024-13176

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2024-13176

URL Tags
https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844
https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467
https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902
https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65
https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f
https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded
https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86
https://openssl-library.org/news/secadv/20250120.txt
http://www.openwall.com/lists/oss-security/2025/01/20/2
https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html
https://security.netapp.com/advisory/ntap-20250124-0005/
https://security.netapp.com/advisory/ntap-20250418-0010/
https://security.netapp.com/advisory/ntap-20250502-0006/
cvelogic Threat Intelligence