Описание
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext. This vulnerability is fixed in 0.12.0.
A flaw was found in the liboqs library. A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This issue results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.
Отчет
This vulnerability is considered an Important severity rather than Moderate due to its impact on the fundamental security guarantees of the HQC KEM. The mishandling of the secret key, where a sensitive component (sigma) is treated as part of the public key, introduces a structural flaw in the cryptographic implementation. This flaw allows malformed ciphertexts to bypass implicit rejection checks and produce incorrect shared secrets. Such behavior undermines the confidentiality and correctness of the key encapsulation mechanism, potentially enabling adversaries to manipulate cryptographic processes or leak sensitive information. While no concrete exploit has been identified, the theoretical attack surface created by the secret key mismanagement significantly raises the risk level, particularly in security-critical systems or applications relying on HQC for post-quantum resilience.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Дополнительная информация
Статус:
7.4 High
CVSS3
Связанные уязвимости
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext. This vulnerability is fixed in 0.12.0.
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext. This vulnerability is fixed in 0.12.0.
liboqs is a C-language cryptographic library that provides implementat ...
7.4 High
CVSS3