Vulnerability Description
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arm | Mbed Tls | < 2.28.2 |
| Fedoraproject | Fedora | 36 |
Related Weaknesses (CWE)
References
- https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2Release NotesThird Party Advisory
- https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0Release NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2Release NotesThird Party Advisory
- https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0Release NotesThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/06/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2022-46392?
CVE-2022-46392 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking...
How severe is CVE-2022-46392?
CVE-2022-46392 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-46392?
Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Tls, Fedoraproject Fedora.