Cyber Resilience

CVE-2023-5992

MediumPublic PoC

Published: 31 January 2024

Published
31 January 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0026 49.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5992 is a medium-severity Observable Discrepancy (CWE-203) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 49.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

The side-channel vulnerability in OpenSC (CVE-2023-5992) during PKCS#1 encryption padding removal enables leakage of private data, such as cryptographic keys or other sensitive credentials from smart card operations, via exploitation for credential access.

Affected Assets

opensc project
opensc
≤ 0.25.0
redhat
enterprise linux
7.0, 8.0, 9.0
redhat
enterprise linux eus
9.4
redhat
enterprise linux for arm 64
8.0_aarch64, 9.0_aarch64
redhat
enterprise linux for arm 64 eus
9.4_aarch64
redhat
enterprise linux for ibm z systems
8.0_s390x, 9.0_s390x
redhat
enterprise linux for ibm z systems eus
9.4_s390x
redhat
enterprise linux for power little endian
9.0_ppc64le
redhat
enterprise linux for power little endian eus
9.4_ppc64le
redhat
enterprise linux server aus
9.4
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-203

Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.

addresses: CWE-203

Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.

addresses: CWE-203

Prevents attackers from using observable differences in error responses to infer internal system details or state.

References