CVE-2024-9143 is classified as a medium-severity vulnerability with a CVSS score of 4.3. This vulnerability allows the use of low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial, which can lead to out-of-bounds memory reads or writes. While this could potentially cause application crashes or remote code execution, the likelihood of vulnerable applications is considered low due to the support of only named curves in current protocols involving Elliptic Curve Cryptography.
The affected APIs include EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions. The underlying risk to organizations includes the potential for significant disruptions should untrusted inputs be processed via these APIs.
Given the nature of this vulnerability, organizations should assess their use of elliptic curve cryptography and consider applying mitigations as necessary. The urgency for defenders is moderate; organizations should schedule remediation to address this vulnerability.
No known exploits for CVE-2024-9143 have been confirmed at this time, which is a critical aspect for organizations to consider while evaluating their risk posture.
The potential for remote code execution cannot be easily ruled out, which warrants cautious attention. Mitigation measures should include regular updates of cryptographic libraries and careful validation of curve parameters.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)