CVE-2025-9231
MediumCVSS 6.5Exploitation Probability (EPSS)
High risk81th percentile - higher than 81% of all known CVEs
Summary
A timing side-channel vulnerability in the SM2 algorithm implementation on 64-bit ARM platforms could allow remote recovery of the private key. This issue does not affect standard TLS configurations in OpenSSL but may be exploited in custom setups using SM2 certificates.
Risk Assessment
An attacker could remotely recover the SM2 private key, compromising the confidentiality and integrity of data protected by that key. The risk is moderate as it requires specific configurations and ARM platforms.
Recommendation
Update OpenSSL to a patched version (e.g., 3.5.1, 3.4.2, 3.3.3, 3.2.4, 3.1.8, 3.0.16) and avoid using SM2 certificates in custom TLS providers on ARM platforms.
Original NVD description (English source)
Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.

