CVE-2026-44368 MEDIUM

CVE-2026-44368: PyQuorum: Timing side‑channel in mul_mod

Vendor Svvqt
Product pyquorum
Weakness CWE-208
Published May 13, 2026
Last update May 15, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can measure the time of secret‑sharing operations (e.g., via a remote service) could progressively recover the values of shares, ultimately leading to secret reconstruction. This vulnerability is fixed in 0.2.1.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 15, 2026 Record updated