CVE-2026-13758
published 2026-06-29CVE-2026-13758: CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path. The decrypt_done($tag) form…
PriorityP417low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
0.23%
13.2th percentile
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.
The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mik | cryptx | < 0.088_001 | 0.088_001 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MIK CryptX up to 0.088_000 on Perl memcmp day timing discrepancy (EUVD-2026-40229)
vuldb·2026-06-30
CVE-2026-13758 [LOW] MIK CryptX up to 0.088_000 on Perl memcmp day timing discrepancy (EUVD-2026-40229)
A vulnerability was found in MIK CryptX up to 0.088_000 on Perl and classified as problematic. The impacted element is the function memcmp. The manipulation of the argument day results in observable timing discrepancy.
This vulnerability is known as CVE-2026-13758. It is possible to launch the attack remotely. No exploit is available.
It is suggested to upgrade the affected component.
GHSA
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
ghsa_unreviewed·2026-06-29
CVE-2026-13758 [LOW] CWE-208 CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.
The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message t
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-13758 perl-CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison [epel-all]
bugzilla·2026-06-29
CVE-2026-13758 [MEDIUM] CVE-2026-13758 perl-CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison [epel-all]
CVE-2026-13758 perl-CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are un
Bugzilla
CVE-2026-13758 CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison
bugzilla·2026-06-29
CVE-2026-13758 [MEDIUM] CVE-2026-13758 CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison
CVE-2026-13758 CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.
The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while me
Bugzilla
CVE-2026-13758 perl-CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison [fedora-all]
bugzilla·2026-06-29
CVE-2026-13758 [MEDIUM] CVE-2026-13758 perl-CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison [fedora-all]
CVE-2026-13758 perl-CryptX: CryptX for Perl: Message forgery via non-constant time AEAD tag comparison [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are
2026-06-29
Published