CVE-2023-50980
Description
Crypto++ up to 8.9.0 crashes on malformed DER public-key data for binary curves due to missing polynomial exponent order validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crypto++ up to 8.9.0 crashes on malformed DER public-key data for binary curves due to missing polynomial exponent order validation.
Vulnerability
In gf2n.cpp of Crypto++ (cryptopp) through version 8.9.0, the EC2N::DecodePoint function lacks validation that the exponents in the polynomial representation of an F(2^m) curve are in strictly decreasing order. When parsing specially crafted DER public-key data (as defined in ASN.1 for elliptic curves over binary fields), an out-of-order exponent sequence causes a segmentation fault due to an out-of-bounds access in GF2NT::Reduced(). This issue affects all releases up to and including 8.9.0 [1].
Exploitation
An attacker needs the ability to supply a malformed DER-encoded public key to an application using the affected Crypto++ library. The attacker crafts an ASN.1 ECPoint or SubjectPublicKeyInfo structure where the tpBasis or ppBasis field contains polynomial exponents in non‑descending order (e.g., swapping the exponent pairs in the GeneralizedPolynomialRepresentation). When the target application calls EC2N::DecodePoint (for example during ECDSA signature verification or key import), the processing reaches GF2NT::Reduced with an unexpected polynomial representation, triggering a segmentation fault without any user interaction beyond the file or network input being processed [1].
Impact
Successful exploitation causes a denial of service (application crash) through a segmentation fault. The attacker does not gain code execution or data disclosure; the impact is limited to disrupting availability of any service that processes attacker‑supplied binary‑curve public keys via Crypto++. The crash occurs before authentication, so an unauthenticated remote attacker can crash a server performing ECDSA verification with a malformed certificate or public key [1].
Mitigation
As of the publication date (2023‑12‑18), no official patch has been released for this issue. Crypto++ maintainers have acknowledged the report [1]. Users should monitor the project’s repository for a fix (expected in a future release > 8.9.0). Until a patched version is available, applications that accept binary‑curve public keys from untrusted sources should validate the exponent ordering themselves before calling EC2N::DecodePoint, or alternatively reject binary curves entirely if not required. No workaround is provided in the library itself.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- Crypto++/Crypto++description
- Range: <=8.9.0
- osv-coords5 versionspkg:rpm/opensuse/libcryptopp&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/libcryptopp&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/libcryptopp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libcryptopp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/libcryptopp&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP4
< 5.6.5-150000.1.9.1+ 4 more
- (no CPE)range: < 5.6.5-150000.1.9.1
- (no CPE)range: < 8.6.0-150400.3.3.1
- (no CPE)range: < 8.9.0-1.1
- (no CPE)range: < 8.6.0-150400.3.3.1
- (no CPE)range: < 8.6.0-150400.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.