CVE-2022-46392
5.3
MEDIUM
CVSS 3.1
EPSS 0.23%
Description
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.
How to fix CVE-2022-46392
To remediate CVE-2022-46392, upgrade the affected package to a fixed version below.
- —upgrade to 2.16.9-0.1+deb11u1 or later
Is CVE-2022-46392 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.16.9-0.1+deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |