CVE-2015-8805
CVE-2015-8805 is a critical-severity vulnerability in Nettle Project Nettle with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-310.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 3% (85th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-310
- Affected product: Nettle Project Nettle
- Published:
- Last modified:
Description
The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.
Frequently asked questions
- What is CVE-2015-8805?
- The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.
- How severe is CVE-2015-8805?
- CVE-2015-8805 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2015-8805 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (85th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2015-8805?
- CVE-2015-8805 primarily affects Nettle Project Nettle. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2015-8805?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2015-8805 published?
- CVE-2015-8805 was published on 2016-02-23 and last updated on 2026-06-17.
References
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00091.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00093.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00100.html
- http://rhn.redhat.com/errata/RHSA-2016-2582.html
- http://www.openwall.com/lists/oss-security/2016/02/02/2
- http://www.openwall.com/lists/oss-security/2016/02/03/1
- http://www.securityfocus.com/bid/84272
- http://www.ubuntu.com/usn/USN-2897-1
- https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
- https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
Affected products (6)
- cpe:2.3:a:nettle_project:nettle:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
More vulnerabilities in Nettle Project Nettle
- CVE-2023-36660 — Critical (CVSS 9.8): The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption.
- CVE-2015-8804 — Critical (CVSS 9.8): x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output…
- CVE-2015-8803 — Critical (CVSS 9.8): The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces…
- CVE-2021-20305 — High (CVSS 8.1): A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA,…
- CVE-2021-3580 — High (CVSS 7.5): A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could…
- CVE-2016-6489 — High (CVSS 7.5): The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side…
All CVEs affecting Nettle Project Nettle →
Other CWE-310 (Cryptographic Issues) vulnerabilities
- CVE-2014-7878 — Critical (CVSS 10.0): The Application Lifecycle Service (ALS) in HP Helion Cloud Development Platform 1.0, when a virtual machine is derived…
- CVE-2013-3712 — Critical (CVSS 10.0): SUSE Studio Onsite 1.3.x before 1.3.6 and SUSE Studio Extension for System z 1.3 uses "static" secret tokens, which has…
- CVE-2013-6952 — Critical (CVSS 10.0): The Belkin WeMo Home Automation firmware before 3949 has a hardcoded GPG key, which makes it easier for remote…
- CVE-2013-6838 — Critical (CVSS 10.0): An unspecified Enghouse Interactive Professional Services "addon product" in Enghouse Interactive IVR Pro (VIP2000)…
- CVE-2013-0137 — Critical (CVSS 10.0): The default configuration of the Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189…
- CVE-2011-5123 — Critical (CVSS 10.0): The Antivirus component in Comodo Internet Security before 5.3.175888.1227 does not check whether X.509 certificates in…