CVE-2025-9231 represents a medium-severity vulnerability related to a timing side-channel in the SM2 algorithm implementation on 64-bit ARM platforms. This vulnerability allows the potential remote recovery of private keys through timing measurements, which could lead to unauthorized access to sensitive information. Although OpenSSL does not directly support SM2 certificates in TLS contexts, the existence of a timing signal indicates that a remote attack could be feasible if a custom provider is used.
The severity of this issue is categorized as medium due to the implications of remote key recovery, despite no attempts to exploit this aspect being reported. The FIPS modules present in versions 3.0 through 3.5 are not affected, as SM2 is not an approved algorithm.
Organizations should prioritize addressing this vulnerability to mitigate risks associated with potential private key recovery. The urgency for remediation is moderate, and organizations are advised to schedule remediation as part of their vulnerability management programs.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)