Vulnerability-Lookup

CVE-2026-13758 (GCVE-0-2026-13758)

Vulnerability from cvelistv5 – Published: 2026-06-29 20:42 – Updated: 2026-06-29 22:24

Title

CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path

Summary

CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path. The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison. The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.

Severity

No CVSS data available.

CWE

CWE-208 - Observable Timing Discrepancy

Assigner

CPANSec

References

3 references

URL	Tags
https://github.com/DCIT/perl-CryptX/commit/7e5634…	patch
https://metacpan.org/release/MIK/CryptX-0.088_001…	release-notes
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
MIK	CryptX	Affected: 0 , < 0.088_001 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-29T22:24:14.433Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/29/19"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "CryptX",
          "product": "CryptX",
          "programFiles": [
            "inc/CryptX_AuthEnc_GCM.xs.inc",
            "inc/CryptX_AuthEnc_CCM.xs.inc",
            "inc/CryptX_AuthEnc_ChaCha20Poly1305.xs.inc",
            "inc/CryptX_AuthEnc_EAX.xs.inc",
            "inc/CryptX_AuthEnc_OCB.xs.inc"
          ],
          "programRoutines": [
            {
              "name": "Crypt::AuthEnc::GCM::decrypt_done"
            },
            {
              "name": "Crypt::AuthEnc::CCM::decrypt_done"
            },
            {
              "name": "Crypt::AuthEnc::ChaCha20Poly1305::decrypt_done"
            },
            {
              "name": "Crypt::AuthEnc::EAX::decrypt_done"
            },
            {
              "name": "Crypt::AuthEnc::OCB::decrypt_done"
            }
          ],
          "repo": "https://github.com/DCIT/perl-CryptX",
          "vendor": "MIK",
          "versions": [
            {
              "lessThan": "0.088_001",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.\n\nThe decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.\n\nThe timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-29T20:42:14.612Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/MIK/CryptX-0.088_001/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to CryptX 0.088_001 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-13758",
    "datePublished": "2026-06-29T20:42:14.612Z",
    "dateReserved": "2026-06-29T17:50:18.724Z",
    "dateUpdated": "2026-06-29T22:24:14.433Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-13758\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2026-06-29T21:16:43.067\",\"lastModified\":\"2026-06-29T23:16:42.433\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.\\n\\nThe decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.\\n\\nThe timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.\"}],\"affected\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"affectedData\":[{\"vendor\":\"MIK\",\"product\":\"CryptX\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://cpan.org/modules\",\"packageName\":\"CryptX\",\"programFiles\":[\"inc/CryptX_AuthEnc_GCM.xs.inc\",\"inc/CryptX_AuthEnc_CCM.xs.inc\",\"inc/CryptX_AuthEnc_ChaCha20Poly1305.xs.inc\",\"inc/CryptX_AuthEnc_EAX.xs.inc\",\"inc/CryptX_AuthEnc_OCB.xs.inc\"],\"programRoutines\":[{\"name\":\"Crypt::AuthEnc::GCM::decrypt_done\"},{\"name\":\"Crypt::AuthEnc::CCM::decrypt_done\"},{\"name\":\"Crypt::AuthEnc::ChaCha20Poly1305::decrypt_done\"},{\"name\":\"Crypt::AuthEnc::EAX::decrypt_done\"},{\"name\":\"Crypt::AuthEnc::OCB::decrypt_done\"}],\"repo\":\"https://github.com/DCIT/perl-CryptX\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"0.088_001\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-208\"}]}],\"references\":[{\"url\":\"https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"https://metacpan.org/release/MIK/CryptX-0.088_001/changes\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/06/29/19\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

GHSA-55GR-9963-833C

Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-30 00:31

Details

CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.

The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.

The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-13758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T21:16:43Z",
    "severity": null
  },
  "details": "CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.\n\nThe decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.\n\nThe timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.",
  "id": "GHSA-55gr-9963-833c",
  "modified": "2026-06-30T00:31:30Z",
  "published": "2026-06-29T21:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/MIK/CryptX-0.088_001/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/29/19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-13758 (GCVE-0-2026-13758)

GHSA-55GR-9963-833C

Tags

Sightings

Nomenclature