CWE-208
Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CVE-2026-5086 (GCVE-0-2026-5086)
Vulnerability from cvelistv5 – Published: 2026-04-13 22:54 – Updated: 2026-04-15 20:03
VLAI
Title
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks
Summary
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks.
For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.
Severity
7.5 (High)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://metacpan.org/release/NERDVANA/Crypt-Secre… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NERDVANA | Crypt::SecretBuffer |
Affected:
0 , < 0.019
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-14T01:34:38.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/13/12"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5086",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T19:59:41.270630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T20:03:28.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-SecretBuffer",
"product": "Crypt::SecretBuffer",
"programFiles": [
"SecretBuffer.xs"
],
"programRoutines": [
{
"name": "Crypt::SecretBuffer::memcmp"
}
],
"repo": "https://github.com/nrdvana/perl-Crypt-SecretBuffer",
"vendor": "NERDVANA",
"versions": [
{
"lessThan": "0.019",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks.\n\nFor example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T22:54:53.724Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/NERDVANA/Crypt-SecretBuffer-0.019/source/Changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.019 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-5086",
"datePublished": "2026-04-13T22:54:53.724Z",
"dateReserved": "2026-03-28T19:22:27.564Z",
"dateUpdated": "2026-04-15T20:03:28.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5091 (GCVE-0-2026-5091)
Vulnerability from cvelistv5 – Published: 2026-05-21 21:07 – Updated: 2026-05-22 14:13
VLAI
Title
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks
Summary
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks.
These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password.
Severity
5.1 (Medium)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/ETHER/Catalyst-Plugi… | release-notes |
| https://github.com/perl-catalyst/Catalyst-Plugin-… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| JJNAPIORK | Catalyst::Plugin::Authentication |
Affected:
0 , ≤ 0.10024
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-22T01:40:38.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/19"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T14:13:45.514337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T14:13:48.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Catalyst-Plugin-Authentication",
"product": "Catalyst::Plugin::Authentication",
"programFiles": [
"lib/Catalyst/Authentication/Credential/Password.pm"
],
"programRoutines": [
{
"name": "Catalyst::Authentication::Credential::Password::check_password"
}
],
"repo": "https://github.com/perl-catalyst/Catalyst-Plugin-Authentication",
"vendor": "JJNAPIORK",
"versions": [
{
"lessThanOrEqual": "0.10024",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks.\n\nThese versions use Perl\u0027s built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T21:07:26.432Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_025/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.10026 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-5091",
"datePublished": "2026-05-21T21:07:26.432Z",
"dateReserved": "2026-03-28T19:36:44.345Z",
"dateUpdated": "2026-05-22T14:13:48.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-462: Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.