CRITICAL🇵🇱 Wersja polska

CVE-2024-28285

CVSS 9.8v3.1pub. 2024-05-14upd. 2026-04-15

A Fault Injection vulnerability in the SymmetricDecrypt function in cryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker to co-reside in the same system with a victim process to disclose information and escalate privileges.

🤖 AI Analysis
How it works

The vulnerability is located in the SymmetricDecrypt function implemented in the cryptopp/elgamal.h file of the Crypto++ 8.9 library. An attacker who has access to the same system as the victim's process can perform a Fault Injection attack — intentional introduction of errors during cryptographic operations. The result is the ability to read sensitive data processed by the decryption function and obtain elevated privileges (privilege escalation).

Impact

An attacker can disclose protected cryptographic information processed by the victim's process and escalate their privileges on the system, which may lead to complete takeover of the environment.

Mitigation & patch

Patches available from the vendor should be applied according to references. As an additional measure, it is recommended to isolate cryptographic processes and restrict local system access only to trusted users.

Who is affected

Cryptopp Crypto++ version 8.9 (cryptopp/elgamal.h file, SymmetricDecrypt function)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References