Skip to main content

CWE-323

Reusing a Nonce, Key Pair in Encryption

36 CVEs Avg CVSS 6.5 MITRE
6
CRITICAL
6
HIGH
22
MEDIUM
2
LOW
5
POC
0
KEV

Monthly

CVE-2026-21383 HIGH This Week

Sensitive key material can be exposed in Qualcomm Snapdragon platforms because AES-GCM key wrapping is performed with a hardcoded/static initialization vector instead of a unique per-call nonce. A local, low-privileged attacker who can collect multiple wrapped outputs can exploit the resulting IV/nonce reuse to recover confidentiality and forge integrity of wrapped keys. There is no public exploit identified at time of analysis, and the issue is disclosed via Qualcomm's July 2026 security bulletin.

Information Disclosure Snapdragon
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-59099 CRITICAL POC PATCH Act Now

Plaintext recovery of webflow conversation state in Apereo CAS (versions 7.3.0 up to but not including 8.0.0-RC6) lets remote unauthenticated attackers decrypt sensitive login-flow data by exploiting AES-GCM nonce reuse. Because the server encrypts client-side webflow execution tokens with a fixed all-zero initialization vector under a single long-lived key, an attacker can harvest multiple tokens from the public login page and apply known-plaintext/keystream-reuse analysis to break confidentiality (and, given GCM's nonce-reuse properties, integrity of the token). Publicly available exploit code exists; the flaw was reported by VulnCheck and carries a CVSS 4.0 base of 9.3, though no CISA KEV listing or EPSS score is provided.

Information Disclosure Cas
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56369 NuGet MEDIUM PATCH This Month

Nonce reuse in ImageMagick's AES-CTR cipher implementation exposes encrypted image plaintext to recovery attacks. The PasskeyEncipherImage method in ImageMagick before 7.1.2-22 reuses nonces when performing AES in Counter mode, violating the fundamental security requirement that a nonce be used exactly once per key. A network-accessible attacker who can collect multiple ciphertexts produced with the same passkey and nonce can XOR the outputs to cancel the shared keystream and partially or fully recover encrypted image content. No active exploitation has been identified (not in CISA KEV), and no public exploit code is known at time of analysis.

Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-55967 LOW PATCH Monitor

Keystream reuse in wolfSSL's streaming AES-GCM API exposes ciphertext to partial plaintext recovery when a single session accumulates more than 64 GiB of data, violating NIST SP 800-38D counter limits due to unguarded internal counter wrap. All wolfSSL versions are affected per wildcard CPE (cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*), with the flaw present in both AES-GCM and AES-CCM streaming paths. Exploitation is constrained to local access with low privileges, high attack complexity, and the operationally unusual prerequisite of processing tens of gigabytes in a single uninterrupted streaming session; no public exploit identified at time of analysis.

Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-49952 CRITICAL POC PATCH Act Now

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee.

PHP Authentication Bypass Oracle Discuz X5 0
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-12205 CRITICAL PATCH Act Now

Private-key recovery is possible in Crypt::DSA for Perl (all versions before 1.21) because the module caches the per-signature DSA nonce (k) inside the Key object and never clears it, causing every call to sign() after the first to reuse the identical nonce and produce signatures with matching r values. Any attacker who can observe two or more DSA signatures produced by the same Key object can apply well-known algebraic techniques to recover the private key entirely, after which they can forge arbitrary signatures. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the cryptographic impact is catastrophic: all keys used to sign more than once under an affected version must be treated as fully compromised.

Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-45028 npm LOW PATCH GHSA Monitor

Astro versions prior to 6.1.10 fail to bind encrypted server island parameters to their intended component and purpose, allowing attackers to replay encrypted props as slots or vice versa. This cryptographic binding failure could lead to cross-site scripting (XSS) when applications use server islands with overlapping prop and slot names where an attacker controls prop values. The vulnerability requires very specific application architecture (shared key names, dynamically rendered pages, attacker-controlled props) making real-world exploitation unlikely, but the underlying encryption design flaw is significant.

XSS
NVD GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-5446 MEDIUM PATCH This Month

wolfSSL's ARIA-GCM cipher suites in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte nonce for every encrypted application-data record, enabling plaintext recovery through cryptanalytic attacks. This vulnerability affects only non-FIPS builds explicitly configured with --enable-aria and the proprietary MagicCrypto SDK (opt-in for Korean regulatory compliance). Authenticated remote attackers can exploit this to recover encrypted data, though AES-GCM implementations in the same product are unaffected due to independent invocation counters. No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-3559 HIGH This Week

CVE-2026-3559 is an authentication bypass vulnerability in Philips Hue Bridge devices affecting the HomeKit Accessory Protocol implementation, where a static nonce in the SRP authentication mechanism allows network-adjacent attackers to gain unauthorized access without credentials. With a CVSS score of 8.1 and requiring only local network access, attackers can achieve high confidentiality and integrity impact on the affected smart home infrastructure. No active exploitation (not in KEV), POC availability, or EPSS data is currently available.

Authentication Bypass Hue Bridge
NVD
CVSS 3.0
8.1
EPSS
0.0%
CVE-2026-3099 MEDIUM PATCH This Month

Libsoup's digest authentication mechanism fails to validate nonce reuse and enforce proper nonce-count incrementation, enabling attackers to replay captured authentication headers to bypass access controls. A remote attacker can exploit this to impersonate legitimate users and access protected resources without valid credentials. No patch is currently available.

Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
5.8
EPSS
0.1%
EPSS 0% CVSS 7.1
HIGH This Week

Sensitive key material can be exposed in Qualcomm Snapdragon platforms because AES-GCM key wrapping is performed with a hardcoded/static initialization vector instead of a unique per-call nonce. A local, low-privileged attacker who can collect multiple wrapped outputs can exploit the resulting IV/nonce reuse to recover confidentiality and forge integrity of wrapped keys. There is no public exploit identified at time of analysis, and the issue is disclosed via Qualcomm's July 2026 security bulletin.

Information Disclosure Snapdragon
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Plaintext recovery of webflow conversation state in Apereo CAS (versions 7.3.0 up to but not including 8.0.0-RC6) lets remote unauthenticated attackers decrypt sensitive login-flow data by exploiting AES-GCM nonce reuse. Because the server encrypts client-side webflow execution tokens with a fixed all-zero initialization vector under a single long-lived key, an attacker can harvest multiple tokens from the public login page and apply known-plaintext/keystream-reuse analysis to break confidentiality (and, given GCM's nonce-reuse properties, integrity of the token). Publicly available exploit code exists; the flaw was reported by VulnCheck and carries a CVSS 4.0 base of 9.3, though no CISA KEV listing or EPSS score is provided.

Information Disclosure Cas
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Nonce reuse in ImageMagick's AES-CTR cipher implementation exposes encrypted image plaintext to recovery attacks. The PasskeyEncipherImage method in ImageMagick before 7.1.2-22 reuses nonces when performing AES in Counter mode, violating the fundamental security requirement that a nonce be used exactly once per key. A network-accessible attacker who can collect multiple ciphertexts produced with the same passkey and nonce can XOR the outputs to cancel the shared keystream and partially or fully recover encrypted image content. No active exploitation has been identified (not in CISA KEV), and no public exploit code is known at time of analysis.

Information Disclosure Imagemagick
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Keystream reuse in wolfSSL's streaming AES-GCM API exposes ciphertext to partial plaintext recovery when a single session accumulates more than 64 GiB of data, violating NIST SP 800-38D counter limits due to unguarded internal counter wrap. All wolfSSL versions are affected per wildcard CPE (cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*), with the flaw present in both AES-GCM and AES-CCM streaming paths. Exploitation is constrained to local access with low privileges, high attack complexity, and the operationally unusual prerequisite of processing tens of gigabytes in a single uninterrupted streaming session; no public exploit identified at time of analysis.

Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee.

PHP Authentication Bypass Oracle +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Private-key recovery is possible in Crypt::DSA for Perl (all versions before 1.21) because the module caches the per-signature DSA nonce (k) inside the Key object and never clears it, causing every call to sign() after the first to reuse the identical nonce and produce signatures with matching r values. Any attacker who can observe two or more DSA signatures produced by the same Key object can apply well-known algebraic techniques to recover the private key entirely, after which they can forge arbitrary signatures. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the cryptographic impact is catastrophic: all keys used to sign more than once under an affected version must be treated as fully compromised.

Information Disclosure Red Hat
NVD VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Astro versions prior to 6.1.10 fail to bind encrypted server island parameters to their intended component and purpose, allowing attackers to replay encrypted props as slots or vice versa. This cryptographic binding failure could lead to cross-site scripting (XSS) when applications use server islands with overlapping prop and slot names where an attacker controls prop values. The vulnerability requires very specific application architecture (shared key names, dynamically rendered pages, attacker-controlled props) making real-world exploitation unlikely, but the underlying encryption design flaw is significant.

XSS
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

wolfSSL's ARIA-GCM cipher suites in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte nonce for every encrypted application-data record, enabling plaintext recovery through cryptanalytic attacks. This vulnerability affects only non-FIPS builds explicitly configured with --enable-aria and the proprietary MagicCrypto SDK (opt-in for Korean regulatory compliance). Authenticated remote attackers can exploit this to recover encrypted data, though AES-GCM implementations in the same product are unaffected due to independent invocation counters. No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

CVE-2026-3559 is an authentication bypass vulnerability in Philips Hue Bridge devices affecting the HomeKit Accessory Protocol implementation, where a static nonce in the SRP authentication mechanism allows network-adjacent attackers to gain unauthorized access without credentials. With a CVSS score of 8.1 and requiring only local network access, attackers can achieve high confidentiality and integrity impact on the affected smart home infrastructure. No active exploitation (not in KEV), POC availability, or EPSS data is currently available.

Authentication Bypass Hue Bridge
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Libsoup's digest authentication mechanism fails to validate nonce reuse and enforce proper nonce-count incrementation, enabling attackers to replay captured authentication headers to bypass access controls. A remote attacker can exploit this to impersonate legitimate users and access protected resources without valid credentials. No patch is currently available.

Authentication Bypass Red Hat Suse
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy