CVE-2024-50383 is a vulnerability in the Botan cryptographic library versions before 3.6.0, triggered by specific compiler behavior in certain GCC versions (notably GCC 11.3.0 with -O2 optimization) on 32-bit architectures such as MIPS and x86-i386. The flaw resides in the donna128 implementation found in lib/utils/donna128.h, which is utilized by cryptographic primitives ChaCha20-Poly1305 and X25519. The issue is a compiler-induced secret-dependent operation where an addition can be conditionally skipped if the carry flag is not set, creating a timing side channel that may leak sensitive cryptographic secrets. This behavior stems from how the compiler optimizes the code, inadvertently introducing a data-dependent control flow that compromises constant-time execution guarantees essential for cryptographic security. The vulnerability affects only 32-bit processors, as the problematic code path and compiler optimization patterns do not manifest on 64-bit systems. The CVSS v3.1 score is 5.9 (medium), reflecting the network attack vector, high confidentiality impact, but requiring high attack complexity and no privileges or user interaction. No patches were linked at the time of disclosure, but upgrading to Botan 3.6.0 or later, where this issue is resolved, is the recommended remediation. No known exploits have been reported in the wild, but the vulnerability poses a risk to any system relying on Botan for ChaCha20-Poly1305 or X25519 on affected platforms.

The primary impact of CVE-2024-50383 is the potential leakage of cryptographic secrets due to a timing side channel introduced by compiler optimizations on 32-bit systems. This compromises the confidentiality of encrypted communications or key exchanges that rely on ChaCha20-Poly1305 or X25519 implemented via Botan. Although the vulnerability does not affect data integrity or system availability, the exposure of secret keys can lead to decryption of sensitive data, impersonation, or man-in-the-middle attacks. Organizations using Botan on embedded devices, legacy systems, or specialized hardware with 32-bit processors are particularly at risk. Since the vulnerability requires no privileges or user interaction and can be exploited remotely if the cryptographic operations are exposed over a network, it poses a moderate threat to confidentiality. However, the high attack complexity and limited affected architectures reduce the overall risk. The absence of known exploits suggests limited current exploitation, but the vulnerability could be targeted in high-value environments where 32-bit Botan deployments remain in use.

To mitigate CVE-2024-50383, organizations should: 1) Upgrade Botan to version 3.6.0 or later, where the compiler-induced secret-dependent operation has been fixed. 2) If upgrading is not immediately possible, recompile Botan with a different compiler version or optimization settings that do not trigger the vulnerability, such as avoiding GCC 11.3.0 with -O2 on 32-bit architectures. 3) Conduct code audits and testing to verify constant-time execution of cryptographic primitives on affected platforms. 4) Limit exposure of vulnerable cryptographic operations by restricting network access or isolating affected systems. 5) Monitor cryptographic libraries and compiler toolchains for updates addressing similar side-channel risks. 6) For embedded or legacy devices, consider hardware or software mitigations that enforce constant-time operations or employ alternative cryptographic libraries not affected by this issue. 7) Implement defense-in-depth by combining cryptographic best practices with system-level protections to reduce the impact of potential key leakage.