CVE-2014-5270
Libgcrypt < 1.5.4 - Side-Channel Key Extraction via Voltage Analysis
Title source: llmDescription
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
References (5)
Core 5
Core References
Patch, Vendor Advisory mailing-list
x_refsource_mlist
http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-3073
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/08/16/2
Technical Description x_refsource_misc
http://www.cs.tau.ac.il/~tromer/handsoff/
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-3024
Scores
EPSS
0.0053
EPSS Percentile
41.0%
Details
CWE
CWE-200
Status
published
Products (10)
debian/debian_linux
7.0
gnupg/libgcrypt
1.4.0
gnupg/libgcrypt
1.4.3
gnupg/libgcrypt
1.4.4
gnupg/libgcrypt
1.4.5
gnupg/libgcrypt
1.4.6
gnupg/libgcrypt
1.5.0
gnupg/libgcrypt
1.5.1
gnupg/libgcrypt
1.5.2
gnupg/libgcrypt
< 1.5.3
Published
Oct 10, 2014
Tracked Since
Feb 18, 2026