cve/2025/CVE-2025-52473.md

### [CVE-2025-52473](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52473)
![](https://img.shields.io/static/v1?label=Product&message=liboqs&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%200.14.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-200%3A%20Exposure%20of%20Sensitive%20Information%20to%20an%20Unauthorized%20Actor&color=brightgreen)

### Description

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Multiple secret-dependent branches have been identified in the reference implementation of the HQC key encapsulation mechanism when it is compiled with Clang for optimization levels above -O0 (-O1, -O2, etc). A proof-of-concept local attack exploits this secret-dependent information to recover the entire secret key. This vulnerability is fixed in 0.14.0.

### POC

#### Reference
- https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-qq3m-rq9v-jfgm

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds