CVE-2022-48570

Vulnerability

Crypto++ through version 8.4 contains two distinct issues: a timing side-channel in ECDSA signature generation due to the rollback of constant-time elliptic curve algorithms (previously fixed for CVE-2019-14318), and an out-of-bounds write in FixedSizeAllocatorWithCleanup when the allocated memory is not 16-byte aligned [1][2]. The revert was intentional for functionality reasons [2]. Versions 8.4 and earlier are affected; the out-of-bounds write exists in versions prior to 8.4, while the timing side-channel is present in 8.4 (re-introduced) and possibly earlier unsanitized builds.

Exploitation

For the timing side-channel, an attacker must be able to precisely measure the duration of ECDSA signing operations (e.g., via network timing or local observation) and perform statistical analysis to infer the private key. For the out-of-bounds write, an attacker would need to trigger memory allocation that is not 16-byte aligned, potentially through crafted inputs or specific system conditions, leading to writes outside the allocated buffer. No further exploitation details are provided in the available references [1][2].

Impact

Successful exploitation of the timing side-channel allows recovery of the ECDSA private key, breaking confidentiality of signing operations. The out-of-bounds write can cause memory corruption, potentially leading to arbitrary code execution, information disclosure, or denial of service, depending on the adjacent memory contents.

Mitigation

Crypto++ 8.4 fixes the out-of-bounds write in FixedSizeAllocatorWithCleanup [2], but simultaneously reverts the constant-time fixes, re-introducing the timing side-channel [2]. No official patch for the timing side-channel has been provided in the referenced releases; users should upgrade to a version that restores constant-time guarantees (if available) or mitigate by restricting access to ECDSA signing operations. For the out-of-bounds write, upgrading to version 8.4 or later is sufficient.