CVE-2024-50382 identifies a vulnerability in the Botan cryptographic library prior to version 3.6.0, specifically in the GHASH implementation of AES-GCM within the file lib/utils/ghash/ghash.cpp. The root cause is a compiler-induced secret-dependent control flow introduced when certain LLVM compiler versions, such as Clang in LLVM 15 targeting RISC-V architectures, compile the code. Instead of performing a constant-time XOR with carry operation, the compiler generates a branch instruction dependent on secret data. This secret-dependent branching can lead to timing side-channel leaks, undermining the confidentiality guarantees of AES-GCM encryption. The vulnerability is categorized under CWE-203 (Information Exposure Through Discrepancy). The CVSS v3.1 base score is 5.9, reflecting a medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No patches or exploits are currently documented, but the issue is resolved by upgrading to Botan 3.6.0 or later, which presumably includes code or compiler workarounds to enforce constant-time behavior regardless of compiler optimizations.

The primary impact of CVE-2024-50382 is the potential exposure of cryptographic secrets due to timing side-channel leaks in AES-GCM operations. This can compromise the confidentiality of encrypted communications or data protected by Botan on affected platforms, particularly RISC-V systems compiled with vulnerable LLVM versions. While the vulnerability does not affect integrity or availability, leaking encryption keys or authentication tags can allow attackers to decrypt sensitive data or forge messages. The high attack complexity and lack of known exploits reduce immediate risk, but organizations relying on Botan for secure communications or data protection in critical systems may face significant confidentiality breaches if exploited. This is especially relevant for embedded systems, IoT devices, or infrastructure using RISC-V processors and LLVM toolchains. The vulnerability's network attack vector means remote attackers could attempt exploitation without local access, increasing the threat surface.

To mitigate CVE-2024-50382, organizations should: 1) Upgrade Botan to version 3.6.0 or later, where the vulnerability is addressed. 2) Review and standardize build environments to avoid using LLVM 15 or other affected compiler versions that introduce secret-dependent branching, especially for RISC-V targets. 3) Employ compiler flags or code annotations that enforce constant-time operations and prevent compiler optimizations that introduce secret-dependent control flow. 4) Conduct side-channel analysis and testing on cryptographic implementations to detect unintended timing leaks. 5) For critical deployments, consider using alternative cryptographic libraries with verified constant-time implementations if upgrading Botan or changing compilers is not immediately feasible. 6) Monitor vendor advisories and security bulletins for patches or additional mitigations related to Botan and LLVM toolchains. 7) Implement network-level protections to limit exposure of vulnerable services to untrusted networks, reducing attack opportunities.