cve/2024/CVE-2024-37880.md

### [CVE-2024-37880](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37880)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The Kyber reference implementation before 9b8d306, when compiled by LLVM Clang through 18.x with some common optimization options, has a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because poly_frommsg in poly.c does not prevent Clang from emitting a vulnerable secret-dependent branch.

### POC

#### Reference
- https://github.com/antoonpurnal/clangover
- https://pqshield.com/pqshield-plugs-timing-leaks-in-kyber-ml-kem-to-improve-pqc-implementation-maturity/

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds