Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
AC:H for required timing precision and volume; C:L for incremental tag-byte leakage; I:L added because successful exploitation enables AEAD authentication forgery not reflected in NVD's I:N.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.
The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.
AnalysisAI
Non-constant-time AEAD authentication tag comparison in CryptX before 0.088_001 for Perl exposes a timing oracle in the streaming decrypt_done path, enabling authentication tag forgery across five AEAD cipher modes: GCM, CCM, ChaCha20Poly1305, EAX, and OCB. An attacker who can submit many candidate tags for a fixed nonce and ciphertext while precisely measuring response timing can recover the expected tag byte-by-byte and forge authenticated messages. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to use CryptX's streaming AEAD API - specifically the decrypt_done($tag) method - with one of the five affected cipher modes: GCM, CCM, ChaCha20Poly1305, EAX, or OCB. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.7 base score (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects a high-complexity network attack with limited direct impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targets a Perl service that accepts AEAD-encrypted messages via CryptX's streaming decrypt_done path and returns timing-distinguishable responses. By submitting thousands of candidate authentication tags for a fixed nonce and ciphertext - cycling through each possible byte value for each tag position - and measuring precise response latency, the attacker statistically identifies which byte value causes a marginally longer comparison, recovering the expected tag byte-by-byte. … |
| Remediation | Upgrade CryptX to version 0.088_001 or later, which replaces the non-constant-time memNE comparison in decrypt_done with a constant-time tag verification routine. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial-of-service via stack buffer overflow in CryptX (Perl cryptography module) versions before 0.088_001 affects four
PRNG state reuse across forked processes in CryptX for Perl allows remote attackers to recover private signing keys thro
Same weakness CWE-208 – Observable Timing Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40229
GHSA-55gr-9963-833c