CVE-2017-7526 - Vulnerability Details

libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.03739.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Gnupg	Libgcrypt

Configuration 1 [-]

cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/99338
http://www.securitytracker.com/id/1038915
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7526
https://eprint.iacr.org/2017/627
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=78130828e9a140a9de4dafadbc844dbb64cb709a
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=8725c99ffa41778f382ca97233183bcd687bb0ce
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=e6a3dc9900433bbc8ad362a595a3837318c28fa9
https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html
https://nvd.nist.gov/vuln/detail/CVE-2017-7526
https://usn.ubuntu.com/3733-1/
https://usn.ubuntu.com/3733-2/
https://www.cve.org/CVERecord?id=CVE-2017-7526
https://www.debian.org/security/2017/dsa-3901
https://www.debian.org/security/2017/dsa-3960

History

Wed, 17 Dec 2025 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.02675}`	epss `{'score': 0.02395}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-07-26T13:00:00.000Z

Updated: 2025-12-17T22:06:14.998Z

Reserved: 2017-04-05T00:00:00.000Z

Link: CVE-2017-7526

Vulnrichment

Updated: 2024-08-05T16:04:11.873Z

NVD

Status : Modified

Published: 2018-07-26T13:29:00.183

Modified: 2024-11-21T03:32:05.007

Link: CVE-2017-7526

Redhat

Severity : Moderate

Publid Date: 2017-06-29T00:00:00Z

Links: CVE-2017-7526 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object