dalek-cryptography curve25519-dalek Crate up to 4.1.2 on Rust Elliptic Curve compiler optimization removal or modification of security-critical code
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 2.6 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as problematic has been found in dalek-cryptography curve25519-dalek Crate up to 4.1.2 on Rust. Affected is an unknown function of the component Elliptic Curve Handler. Executing a manipulation can lead to compiler optimization removal or modification of security-critical code. This vulnerability is handled as CVE-2024-58262. It is possible to launch the attack on the local host. There is not any exploit available. The affected component should be upgraded.
Details
A vulnerability has been found in dalek-cryptography curve25519-dalek Crate up to 4.1.2 on Rust and classified as problematic. This vulnerability affects an unknown part of the component Elliptic Curve Handler. The manipulation with an unknown input leads to a compiler optimization removal or modification of security-critical code vulnerability. The CWE definition for the vulnerability is CWE-733. The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified. As an impact it is known to affect confidentiality. CVE summarizes:
The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.
The advisory is available at rustsec.org. This vulnerability was named CVE-2024-58262 since 07/27/2025. The exploitation appears to be difficult. Local access is required to approach this attack. The technical details are unknown and an exploit is not available.
Upgrading to version 4.1.3 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2024-54823). Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 2.7VulDB Meta Temp Score: 2.6
VulDB Base Score: 2.5
VulDB Temp Score: 2.4
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 2.9
CNA Vector (MITRE): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Compiler optimization removal or modification of security-critical codeCWE: CWE-733
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: No
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: curve25519-dalek Crate 4.1.3
Patch: github.com
Timeline
07/27/2025 Advisory disclosed07/27/2025 CVE reserved
07/27/2025 VulDB entry created
07/27/2025 VulDB entry last update
Sources
Advisory: RUSTSEC-2024-0344Status: Confirmed
CVE: CVE-2024-58262 (🔒)
GCVE (CVE): GCVE-0-2024-58262
GCVE (VulDB): GCVE-100-317866
EUVD: 🔒
Entry
Created: 07/27/2025 22:51Updated: 07/27/2025 23:10
Changes: 07/27/2025 22:51 (67), 07/27/2025 23:10 (1)
Complete: 🔍
Cache ID: 216:C8F:103
No comments yet. Languages: en.
Please log in to comment.