CVE-2024-45192 identifies a vulnerability in the Matrix libolm cryptographic library, specifically in versions up to 3.2.16. The flaw arises from the use of base64 decoding when handling group session keys, which introduces a side-channel attack vector through cache-timing analysis. Cache-timing attacks exploit variations in the time taken by the system to perform cryptographic operations, potentially allowing an attacker to infer secret key material. In this case, the base64 decoding process leaks timing information that can be measured remotely, enabling an attacker with network access and low privileges to recover sensitive group session keys. These keys are critical for decrypting group communications in Matrix’s end-to-end encryption scheme. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality. Notably, this issue only impacts products that are no longer supported by the libolm maintainers, meaning no official patches or updates are provided. The CVSS v3.1 score is 5.3 (medium), reflecting the network attack vector, required low privileges, no user interaction, and high confidentiality impact. There are no known exploits in the wild, and the vulnerability was published on August 22, 2024. The CWE associated is CWE-385 (Use of Cryptographically Weak Pseudo-Random Number Generator). Given the lack of patch availability, mitigation relies on operational controls or migration to supported versions.

The primary impact of CVE-2024-45192 is the potential disclosure of sensitive cryptographic group session keys used in Matrix end-to-end encrypted group chats. This compromises the confidentiality of group communications, allowing attackers to decrypt messages and potentially gather sensitive information. Since the vulnerability does not affect integrity or availability, the system’s operation and message authenticity remain intact. The requirement for network access and low privileges lowers the barrier for exploitation, but the complexity of performing cache-timing attacks remotely may limit widespread abuse. The fact that only unsupported products are affected reduces the overall risk to the broader user base but poses a significant threat to organizations that continue to use legacy or unmaintained Matrix implementations. Such organizations may face data breaches, loss of privacy, and exposure of confidential communications. The absence of patches means that affected entities must rely on alternative mitigations or migration, increasing operational risk. The medium severity rating reflects these factors.

Since no official patches are available for this vulnerability in unsupported libolm versions, organizations should prioritize migrating to supported versions of libolm or alternative cryptographic libraries that do not exhibit this timing side-channel. If migration is not immediately feasible, network-level mitigations such as isolating affected systems, restricting access to trusted networks, and monitoring for unusual traffic patterns can reduce exposure. Implementing constant-time cryptographic operations or using hardened base64 decoding routines in custom forks may mitigate timing leakage but requires expert development effort. Additionally, organizations should audit their use of Matrix-based encrypted messaging to identify legacy deployments and plan decommissioning or upgrades. Employing end-to-end encryption solutions with active maintenance and security support is critical. Regular security assessments and penetration testing focusing on side-channel vulnerabilities can help detect similar issues early. Finally, educating developers and administrators about side-channel risks and secure coding practices will reduce future vulnerabilities.