CVE-2025-48946

LOW EPSS 10.0%
Published May 30, 20251y ago · Modified Jun 17, 20262w ago
3.7 CVSS 3.1
Low
Find Similar
Published May 30, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. liboqs prior to version 0.13.0 supports the HQC algorithm, an algorithm with a theoretical design flaw which leads to large numbers of malformed ciphertexts sharing the same implicit rejection value. Currently, no concrete attack on the algorithm is known. However, prospective users of HQC must take extra care when using the algorithm in protocols involving key derivation. In particular, HQC does not provide the same security guarantees as Kyber or ML-KEM. There is currently no patch for the HQC flaw available in liboqs, so HQC is disabled by default in liboqs starting from version 0.13.0. OQS will update its implementation after the HQC team releases an updated algorithm specification.

CVSS Details

Base Score
3.7
Exploitability
2.2
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
10.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-327

Affected Products 1

VendorProductVersionRange
openquantumsafeliboqs* <0.13.0

References 4

  • durumcrustulum.com https://durumcrustulum.com/2024/02/24/how-to-hold-kems/#hqc
    Product
  • github.com https://github.com/open-quantum-safe/liboqs/commit/a7d698ca9c9d98990647459253183cbe29c550af
    Patch
  • github.com https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-3rxw-4v8q-9gq5
    Vendor Advisory
  • groups.google.com https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Wiu4ZQo3fP80
    Issue TrackingMailing List

Remediation

  • github.com https://github.com/open-quantum-safe/liboqs/commit/a7d698ca9c9d98990647459253183cbe29c550af
    Patch