CVE-2024-58262
Description
The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Timing variability in curve25519-dalek's scalar subtraction functions could leak private keys; fixed in version 4.1.3.
Vulnerability
The curve25519-dalek crate before version 4.1.3 contained a timing vulnerability in the Scalar52::sub (64-bit) and Scalar29::sub (32-bit) functions. These functions are used for elliptic curve scalar arithmetic and are expected to execute in constant time to prevent side-channel leakage. However, LLVM's optimizer inserted a conditional branch instruction (e.g., jns on x86) when the mask value used in the subtraction loop was zero, breaking the constant-time property [1][3].
Exploitation
An attacker who can observe the execution timing of cryptographic operations that use these scalar subtraction functions may be able to infer secret scalar values. No authentication is required; the attack relies on precise timing measurements, typically from a local or network-adjacent position. The vulnerability is particularly concerning because scalars are often secret keys or nonces in protocols like X25519 [1][3].
Impact
Successful exploitation could lead to the leakage of private keys or other secret material, compromising the security of any system relying on curve25519-dalek for cryptographic operations. The issue is classified as a cryptographic failure [3].
Mitigation
The vulnerability was fixed in version 4.1.3 by introducing a volatile read (core::ptr::read_volatile) as an optimization barrier, preventing LLVM from removing the constant-time operation [1][4]. Users should update to version 4.1.3 or later. No workaround is available [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
curve25519-dalekcrates.io | < 4.1.3 | 4.1.3 |
Affected products
1- dalek-cryptography/curve25519-dalekv5Range: 0
Patches
1415892acf1cdSECURITY: fix timing variability in backend/serial/u64/scalar.rs (#659)
1 file changed · +11 −1
curve25519-dalek/src/backend/serial/u64/scalar.rs+11 −1 modified@@ -174,6 +174,14 @@ impl Scalar52 { /// Compute `a - b` (mod l) pub fn sub(a: &Scalar52, b: &Scalar52) -> Scalar52 { + // Optimization barrier to prevent compiler from inserting branch instructions + // TODO(tarcieri): find a better home (or abstraction) for this + fn black_box(value: u64) -> u64 { + // SAFETY: `u64` is a simple integer `Copy` type and `value` lives on the stack so + // a pointer to it will be valid. + unsafe { core::ptr::read_volatile(&value) } + } + let mut difference = Scalar52::ZERO; let mask = (1u64 << 52) - 1; @@ -188,7 +196,9 @@ impl Scalar52 { let underflow_mask = ((borrow >> 63) ^ 1).wrapping_sub(1); let mut carry: u64 = 0; for i in 0..5 { - carry = (carry >> 52) + difference[i] + (constants::L[i] & underflow_mask); + // SECURITY: `black_box` prevents LLVM from inserting a `jns` conditional on x86(_64) + // which can be used to bypass this section when `underflow_mask` is zero. + carry = (carry >> 52) + difference[i] + (constants::L[i] & black_box(underflow_mask)); difference[i] = carry & mask; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-x4gp-pqpj-f43qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-58262ghsaADVISORY
- github.com/dalek-cryptography/curve25519-dalek/commit/415892acf1cdf9161bd6a4c99bc2f4cb8fae5e6aghsaWEB
- github.com/dalek-cryptography/curve25519-dalek/pull/659ghsaWEB
- rustsec.org/advisories/RUSTSEC-2024-0344.htmlghsaWEB
- crates.io/crates/curve25519-dalekmitre
News mentions
0No linked articles in our index yet.