Wiz
Vulnerability DatabaseCVE-2025-48946

CVE-2025-48946
NixOS vulnerability analysis and mitigation

Overview

CVE-2025-48946 affects liboqs, a C-language cryptographic library that implements post-quantum cryptography algorithms. The vulnerability was discovered in versions prior to 0.13.0, specifically related to the HQC (Hamming Quasi-Cyclic) algorithm implementation. Disclosed on May 30, 2025, the issue involves a theoretical design flaw in the HQC algorithm that leads to large numbers of malformed ciphertexts sharing the same implicit rejection value (GitHub Advisory).

Technical details

The vulnerability stems from a design flaw in how HQC implements the Fujisaki-Okamoto (FO) transform, particularly in its handling of the 'salt' component in the ciphertext. The issue allows for a two-query decryption failure oracle where an attacker can determine if decryption failed by comparing decapsulation results of two ciphertexts that differ only in their salt values. The CVSS v3.1 score is 3.7 (Low) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (Wiz, GitHub Advisory).

Impact

While no concrete attack on the algorithm is currently known, the vulnerability affects the security guarantees of HQC, particularly in protocols involving key derivation. The flaw means that HQC does not provide the same security guarantees as other post-quantum algorithms like Kyber or ML-KEM. Users must take extra care when implementing the algorithm in cryptographic protocols (GitHub Advisory, Durum Blog).

Mitigation and workarounds

As a mitigation measure, HQC has been disabled by default in liboqs starting from version 0.13.0. There is currently no patch available in liboqs, and the Open Quantum Safe team will update their implementation after the HQC team releases an updated algorithm specification. Users are advised to disable the HQC algorithm family until a fix is available (GitHub Commit, GitHub Advisory).

Community reactions

The vulnerability was initially reported by Markku-Juhani O. Saarinen to the NIST pqc-forum mailing list, leading to technical discussions among cryptography experts. The HQC team has acknowledged the issue and indicated they are working on modifications to address the vulnerability (PQC Forum).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-14330CRITICAL9.8
  • NixOSNixOS
  • rhel10::firefox-flatpak
NoYesDec 09, 2025
CVE-2025-14329HIGH8.8
  • NixOSNixOS
  • cpe:2.3:a:mozilla:firefox
NoYesDec 09, 2025
CVE-2025-14333HIGH8.1
  • NixOSNixOS
  • firefox
NoYesDec 09, 2025
CVE-2025-14332HIGH7.3
  • NixOSNixOS
  • cpe:2.3:a:mozilla:firefox
NoYesDec 09, 2025
CVE-2025-14331MEDIUM6.5
  • NixOSNixOS
  • rhel10::thunderbird-flatpak
NoYesDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo