Loading
Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time algorithm to perform a modular inverse on the signature nonce k, which might allow remote attackers to obtain ECDSA secret keys via a timing side-channel attack.
Use CWE-200, Debian vendor hub and Debian Linux product page to widen CVE-2016-2849 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2025-68670, CVE-2025-62600 and CVE-2025-62599 for nearby disclosures in the same product family.