CVE-2024-58262: 
Rust vulnerability analysis and mitigation

The curve25519-dalek crate before version 4.1.3 for Rust contains a timing vulnerability in its constant-time operation on elliptic curve scalars. The vulnerability was discovered in June 2024 and affects the Scalar29::sub (32-bit) and Scalar52::sub (64-bit) functions, where LLVM optimization removes intended constant-time operations (RUSTSEC Advisory, GitHub PR).

The vulnerability stems from the usage of mask values inside loops where LLVM compiler optimization inserts a branch instruction (jns on x86) to conditionally bypass code sections when the mask value is zero. This creates timing variability that could potentially leak secret values such as elliptic curve scalars. The issue was discovered using the DATA tool by researchers Alexander Wagner and Lea Themint, with compiler output demonstrating the problematic optimization visible in godbolt (RUSTSEC Advisory).

The timing variability could potentially lead to the leakage of private keys and other cryptographic secrets. Since the affected functions handle elliptic curve scalars, which are critical components in cryptographic operations, this vulnerability could compromise the security of systems relying on constant-time operations (GitHub PR).

The vulnerability has been fixed in curve25519-dalek version 4.1.3 and later. The fix introduces a volatile read as an optimization barrier, which prevents the compiler from optimizing away the constant-time operations. Users should upgrade to version 4.1.3 or later to mitigate this vulnerability (RUSTSEC Advisory).