BoringSSL Google BoringSSL BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

stack.watch can email you when security vulnerabilities are reported in Google BoringSSL. You can add multiple products that you use with BoringSSL to create your own personal software stack watcher.

By the Year

In 2021 there have been 0 vulnerabilities in Google BoringSSL . BoringSSL did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 4 4.85

It may take a day or so for new BoringSSL vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Google BoringSSL Security Vulnerabilities

BoringSSL through 2018-06-14

CVE-2018-12440 4.7 - Medium - June 15, 2018

BoringSSL through 2018-06-14 allows a memory-cache side-channel attack on DSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a DSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

CVE-2018-12440 is exploitable with local system access, and requires small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.0 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Information Leak

** DISPUTED ** cryptlib through 3.4.4

CVE-2018-12433 4.9 - Medium - June 15, 2018

** DISPUTED ** cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. NOTE: the vendor does not include side-channel attacks within its threat model.

CVE-2018-12433 can be explotited with physical access, and does not require authorization privledges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 0.5 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Key Management Errors

The Elliptic Curve Cryptography library (aka sunec or libsunec)

CVE-2018-12438 4.9 - Medium - June 15, 2018

The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

CVE-2018-12438 is exploitable with physical access, and does not require authorization privledges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 0.5 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Key Management Errors

LibTomCrypt through 1.18.1

CVE-2018-12437 4.9 - Medium - June 15, 2018

LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

CVE-2018-12437 can be explotited with physical access, and does not require authorization privledges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 0.5 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Key Management Errors