IBM Common Cryptographic Architecture information disclosure
Description
IBM Common Cryptographic Architecture (CCA) RSA operations in versions 7.0.0 through 7.5.36 exhibit non-constant-time behavior, enabling remote timing attacks to leak sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM Common Cryptographic Architecture (CCA) RSA operations in versions 7.0.0 through 7.5.36 exhibit non-constant-time behavior, enabling remote timing attacks to leak sensitive information.
Vulnerability
IBM Common Cryptographic Architecture (CCA) versions 7.0.0 through 7.5.36 (for the 4769 cryptographic coprocessor) contain a timing side-channel vulnerability in RSA operations. Under certain conditions, the implementation does not execute in constant time, allowing an attacker to correlate execution duration with secret data [1].
Exploitation
An unauthenticated remote attacker with network access to the affected system can exploit this vulnerability by measuring the timing of RSA cryptographic operations. The attack requires high complexity (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) because precise timing measurements and multiple observations are needed to extract meaningful information [1].
Impact
Successful exploitation leads to a low confidentiality impact: the attacker can obtain sensitive information, such as cryptographic key material, through timing analysis. No integrity or availability impact is expected [1].
Mitigation
IBM has released CCA version 7.5.37 or later to fix this vulnerability. Users should upgrade to the latest version from the IBM CCA Software Download Page. No workaround is documented [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=7.0.0, <=7.5.36+ 1 more
- (no CPE)range: >=7.0.0, <=7.5.36
- (no CPE)range: 7.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- www.ibm.com/support/pages/node/7145168mitrevendor-advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/257676mitrevdb-entry
News mentions
0No linked articles in our index yet.