{"api_version":"1","generated_at":"2026-04-22T23:22:12+00:00","cve":"CVE-2023-24532","urls":{"html":"https://cve.report/CVE-2023-24532","api":"https://cve.report/api/cve/CVE-2023-24532.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-24532","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-24532"},"summary":{"title":"CVE-2023-24532","description":"The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-03-08 20:15:00","updated_at":"2023-11-07 04:08:00"},"problem_types":["CWE-682"],"metrics":[],"references":[{"url":"https://go.dev/issue/58647","name":"https://go.dev/issue/58647","refsource":"MISC","tags":[],"title":"crypto/elliptic: specific unreduced P-256 scalars produce incorrect results (CVE-2023-24532) · Issue #58647 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pkg.go.dev/vuln/GO-2023-1621","name":"https://pkg.go.dev/vuln/GO-2023-1621","refsource":"MISC","tags":[],"title":"GO-2023-1621 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/471255","name":"https://go.dev/cl/471255","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/3-TpUx48iQY","name":"https://groups.google.com/g/golang-announce/c/3-TpUx48iQY","refsource":"MISC","tags":[],"title":"[security] Go 1.20.2 and Go 1.19.7 are released","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-24532","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24532","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"24532","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-24532","qid":"184193","title":"Debian Security Update for golang-1.19 (CVE-2023-24532)"},{"cve":"CVE-2023-24532","qid":"296100","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 58.144.3 Missing (CPUAPR2023)"},{"cve":"CVE-2023-24532","qid":"354890","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2015"},{"cve":"CVE-2023-24532","qid":"354901","title":"Amazon Linux Security Advisory for golang : ALAS-2023-1731"},{"cve":"CVE-2023-24532","qid":"355216","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-175"},{"cve":"CVE-2023-24532","qid":"355697","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2163"},{"cve":"CVE-2023-24532","qid":"355797","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2023-026"},{"cve":"CVE-2023-24532","qid":"355837","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2023-029"},{"cve":"CVE-2023-24532","qid":"356180","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-001"},{"cve":"CVE-2023-24532","qid":"356503","title":"Amazon Linux Security Advisory for golang : ALAS2GOLANG1.19-2023-001"},{"cve":"CVE-2023-24532","qid":"502862","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24532","qid":"503187","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24532","qid":"506080","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24532","qid":"691086","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (742279d6-bdbe-11ed-a179-2b68e9d12706)"},{"cve":"CVE-2023-24532","qid":"753772","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:0733-1)"},{"cve":"CVE-2023-24532","qid":"753839","title":"SUSE Enterprise Linux Security Update for container-suseconnect (SUSE-SU-2023:0871-1)"},{"cve":"CVE-2023-24532","qid":"908039","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (37385-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-24532","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-682: Incorrect Calculation"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go standard library","product":{"product_data":[{"product_name":"crypto/internal/nistec","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.7"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/58647","refsource":"MISC","name":"https://go.dev/issue/58647"},{"url":"https://go.dev/cl/471255","refsource":"MISC","name":"https://go.dev/cl/471255"},{"url":"https://groups.google.com/g/golang-announce/c/3-TpUx48iQY","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/3-TpUx48iQY"},{"url":"https://pkg.go.dev/vuln/GO-2023-1621","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-1621"}]},"credits":[{"lang":"en","value":"Guido Vranken, via the Ethereum Foundation bug bounty program"}]},"nvd":{"publishedDate":"2023-03-08 20:15:00","lastModifiedDate":"2023-11-07 04:08:00","problem_types":["CWE-682"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.7","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}