CVE-2024-37880 identifies a timing side-channel vulnerability in the Kyber post-quantum cryptographic reference implementation before commit 9b8d306. Kyber is a lattice-based key encapsulation mechanism (KEM) designed to resist quantum computer attacks. The vulnerability arises specifically when the code is compiled using LLVM Clang compilers through version 18.x with common optimization settings. The root cause is that the poly_frommsg function in poly.c contains secret-dependent branching that the Clang compiler does not eliminate or mask, leading to timing variations observable by an attacker. These timing differences allow an attacker to recover the ML-KEM 512 secret key in a matter of minutes. The vulnerability does not require any privileges or user interaction, making remote exploitation feasible if the attacker can measure timing accurately. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, low complexity, no privileges required, and high confidentiality impact. The flaw is categorized under CWE-203 (Information Exposure Through Discrepancy). No patches or exploits are currently reported, but the issue is critical for implementations relying on this Kyber version compiled with affected Clang versions. The vulnerability highlights the importance of constant-time coding practices and compiler behavior awareness in cryptographic software development.

The primary impact of CVE-2024-37880 is the compromise of confidentiality through secret key recovery. Successful exploitation allows attackers to recover the ML-KEM 512 secret key used in Kyber, undermining the security guarantees of the post-quantum cryptographic scheme. This can lead to decryption of sensitive communications, impersonation, or further cryptographic attacks. Since Kyber is intended for securing communications against quantum adversaries, this vulnerability weakens future-proof cryptographic deployments. Organizations relying on vulnerable Kyber implementations, especially in environments where LLVM Clang is used for compilation, face significant risks of key compromise. The vulnerability does not affect integrity or availability directly but can facilitate further attacks that do. Given the increasing interest in post-quantum cryptography, this flaw could impact government agencies, research institutions, and enterprises adopting Kyber for secure communications. The ease of exploitation without authentication or user interaction increases the threat level, especially in network-exposed systems.

1. Upgrade to the Kyber reference implementation at or beyond commit 9b8d306, where the poly_frommsg function is fixed to prevent secret-dependent branching. 2. Recompile Kyber using compilers that do not emit secret-dependent branches in poly_frommsg, or apply compiler flags that enforce constant-time code generation if available. 3. Conduct thorough code audits and side-channel analysis when integrating cryptographic libraries, especially when using aggressive compiler optimizations. 4. Employ side-channel resistant coding practices, such as avoiding secret-dependent branches and memory accesses. 5. Monitor cryptographic library updates and advisories for patches addressing this and related vulnerabilities. 6. For critical systems, consider using hardware-based cryptographic modules or implementations with formal side-channel resistance proofs. 7. Limit exposure of cryptographic operations to untrusted networks or users to reduce timing measurement feasibility. 8. Implement runtime mitigations such as noise injection or constant-time wrappers if immediate patching is not possible. 9. Validate the compiler toolchain and build environment to ensure no regressions or similar issues are introduced.