CVE-2017-9526

Name: CVE-2017-9526
Creator: NVD / NIST
Published: 2017-06-11T02:29:00.183+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.32%

Last modified Jun 17, 2026

CVE-2017-9526 is a vulnerability of currently unknown severity. In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.. EPSS estimates a 2.32% chance of exploitation in the next 30 days.

Description

In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.

Metrics

EPSS Probability

2.32%

81.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

Affected Software

Vendor	Product	Versions
Gnupg	Libgcrypt	<= 1.7.6

References

Timeline

Published: Jun 11, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-9526?

How severe is CVE-2017-9526?

Severity scoring for CVE-2017-9526 is pending analysis. The EPSS model estimates a 2.32% probability of exploitation in the next 30 days.

How do I fix CVE-2017-9526?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-9526?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST