CVE-2024-45191 – This vulnerability in Matrix libolm's AES imple... (How to Fix)

📋 TL;DR

This vulnerability in Matrix libolm's AES implementation allows attackers to perform cache-timing attacks to potentially extract cryptographic keys. It affects software using vulnerable versions of libolm for encryption, though only unsupported products are impacted. The attack requires local access or ability to measure timing differences.

💻 Affected Systems

Products:

Matrix libolm
Software using libolm for encryption (e.g., Matrix clients)

Versions: Through 3.2.16

Operating Systems: All platforms using vulnerable libolm

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects unsupported products according to maintainer; libolm is deprecated in favor of vodozemac.

📦 What is this software?

Olm by Matrix

View all CVEs affecting Olm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract encryption keys, compromising confidentiality of encrypted communications in Matrix-based applications.

🟠

Likely Case

Limited impact due to requirement for precise timing measurements and local access; most real-world exploitation would be difficult.

🟢

If Mitigated

With proper network segmentation and access controls, risk is minimal as attack requires proximity to target system.

🌐 Internet-Facing: LOW - Attack requires precise timing measurements unlikely over internet connections.

🏢 Internal Only: MEDIUM - Internal attackers with local access could potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Cache-timing attacks require sophisticated measurement capabilities and local system access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 6d4b5b07887821a95b144091c8497d09d377f985

Vendor Advisory: https://gitlab.matrix.org/matrix-org/olm/

Restart Required: Yes

Instructions:

1. Update to latest libolm version or apply commit 6d4b5b07887821a95b144091c8497d09d377f985
2. Rebuild and reinstall libolm
3. Restart applications using libolm
4. Consider migrating to vodozemac (recommended replacement)

🔧 Temporary Workarounds

Migrate to vodozemac

all

Replace libolm with vodozemac, the recommended replacement library

Follow migration guide at https://gitlab.matrix.org/matrix-org/olm/-/blob/master/docs/migrating.md

🧯 If You Can't Patch

Implement strict access controls to limit local system access
Monitor for unusual timing analysis tools or processes on affected systems

🔍 How to Verify

Check if Vulnerable:

Check libolm version; if ≤3.2.16 and using AES implementation, system is vulnerable

Check Version:

Check package manager or compile logs for libolm version

Verify Fix Applied:

Verify libolm version is >3.2.16 or includes commit 6d4b5b07887821a95b144091c8497d09d377f985

📡 Detection & Monitoring

Log Indicators:

Unusual process timing measurements
Suspicious cryptographic operations

Network Indicators:

Unusual local network traffic patterns for timing analysis

SIEM Query:

Process execution of timing measurement tools on systems with libolm

📊 Metadata

CVE ID: CVE-2024-45191

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-208

Published: August 22, 2024

Last Updated: June 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45191, you might also want to check these: