Description
In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis.
Published: 2026-03-19
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Timing side‑channel leakage enabling local recovery of secret ECC keys
Action: Patch
AI Analysis

Impact

A compiler optimization in GCC removes constant‑time masking by converting the code into conditional branches, breaking the side‑channel resistance of ECC scalar multiplication. This introduces a timing side‑channel that allows a local attacker who can observe execution time to reconstruct secret ECC keys. The weakness is classified as CWE‑203 and directly threatens the confidentiality of cryptographic material.

Affected Systems

The vulnerability is present only in wolfSSL 5.8.4 when built for RISC‑V RV32I targets with the -O3 optimisation level. Builds for other architectures, earlier or later wolfSSL releases, and builds with different optimisation settings are not affected.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity, and an EPSS score below 1 % shows a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attacks require local access and precise timing measurements, so practical exploitability is limited, yet the potential impact of compromised ECC keys could be catastrophic.

Generated by OpenCVE AI on March 23, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest wolfSSL release where the GCC optimisation issue is resolved.
  • If an upgrade is not possible, rebuild wolfSSL with a lower optimisation level (e.g., -O2 or -O1) or use compiler options that inhibit the transformation in the affected routine.
  • Restrict local physical and network access to devices running the vulnerable build to reduce the feasibility of timing attacks.

Generated by OpenCVE AI on March 23, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wolfssl:wolfssl:5.8.4:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis.
Title Compiler-induced timing leak in sp_256_get_entry_256_9 on RISC-V
Weaknesses CWE-203
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-03-19T20:25:20.427Z

Reserved: 2026-03-05T00:16:16.057Z

Link: CVE-2026-3580

cve-icon Vulnrichment

Updated: 2026-03-19T20:25:14.415Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T20:16:14.450

Modified: 2026-03-23T18:57:07.400

Link: CVE-2026-3580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:10Z

Weaknesses