Caliptra Core Firmware CVE-2026-6458
MEDIUMSeverity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:A and PR:L match vendor assessment; AC:H reflects the specific streaming-API-with-empty-AAD prerequisite; S:C captures downstream integrity impact on systems trusting the RoT.
Primary rating from Vendor (Caliptra).
CVSS VectorVendor: Caliptra
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.
This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.
AnalysisAI
Broken GCM integrity in Caliptra Core Runtime Firmware 2.0.0-2.1.0 allows an adjacent, low-privileged attacker to silently tamper with ciphertext produced by the streaming AES-256-GCM API when called with empty AAD. The root defect - a missing save of the hardware GHASH accumulator state after the first streaming update call - causes the final authentication tag to exclude the first batch of processed ciphertext, nullifying the integrity guarantee of authenticated encryption for that block. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target system to be actively using the streaming AES-256-GCM API (`aes_256_gcm_update`) with empty Associated Additional Data (AAD) - this is a specific application-level API usage pattern, not a default or universally present condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium) is consistent with the actual threat model: adjacent network vector (AV:A) and low privileges required (PR:L) substantially limit the exploitable population. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with adjacent network presence and low-privileged access to a system using Caliptra's streaming AES-256-GCM with empty AAD intercepts the ciphertext produced during the first `aes_256_gcm_update` call and modifies it in transit or in storage. Because the GHASH accumulator was not checkpointed after that call, the final authentication tag does not incorporate the first block's ciphertext, and the modification passes tag verification silently. … |
| Remediation | Consult the CHIPSALLIANCE Caliptra security advisory at https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-834g-h5x6-2hqr for the upstream fix; a specific patched release version is not independently confirmed from the available data, so track the caliptra-sw repository for a tagged release addressing this advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Core Runtime Firmware
View allSame weakness CWE-325 – Missing Cryptographic Step
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today