Skip to main content

CryptX CVE-2026-13758

| EUVDEUVD-2026-40229 LOW
Observable Timing Discrepancy (CWE-208)
2026-06-29 CPANSec GHSA-55gr-9963-833c
3.7
CVSS 3.1 · Vendor: CPANSec

Severity by source

Vendor (CPANSec) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.8 MEDIUM

AC:H for required timing precision and volume; C:L for incremental tag-byte leakage; I:L added because successful exploitation enables AEAD authentication forgery not reflected in NVD's I:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 30, 2026 - 16:31 vuln.today
CVSS changed
Jun 30, 2026 - 14:22 NVD
3.7 (LOW)
CVE Published
Jun 29, 2026 - 20:42 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.

The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.

The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.

AnalysisAI

Non-constant-time AEAD authentication tag comparison in CryptX before 0.088_001 for Perl exposes a timing oracle in the streaming decrypt_done path, enabling authentication tag forgery across five AEAD cipher modes: GCM, CCM, ChaCha20Poly1305, EAX, and OCB. An attacker who can submit many candidate tags for a fixed nonce and ciphertext while precisely measuring response timing can recover the expected tag byte-by-byte and forge authenticated messages. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit AEAD ciphertext with candidate tag to target service
Delivery
Measure precise server response timing per tag submission
Exploit
Recover expected tag byte-by-byte via timing oracle
Execution
Construct fully forged authentication tag
Impact
Submit forged ciphertext as authenticated message

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to use CryptX's streaming AEAD API - specifically the decrypt_done($tag) method - with one of the five affected cipher modes: GCM, CCM, ChaCha20Poly1305, EAX, or OCB. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.7 base score (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects a high-complexity network attack with limited direct impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a Perl service that accepts AEAD-encrypted messages via CryptX's streaming decrypt_done path and returns timing-distinguishable responses. By submitting thousands of candidate authentication tags for a fixed nonce and ciphertext - cycling through each possible byte value for each tag position - and measuring precise response latency, the attacker statistically identifies which byte value causes a marginally longer comparison, recovering the expected tag byte-by-byte. …
Remediation Upgrade CryptX to version 0.088_001 or later, which replaces the non-constant-time memNE comparison in decrypt_done with a constant-time tag verification routine. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy