CVE-2026-40194
Received Received - Intake
Timing Side-Channel in phpseclib SSH2 HMAC Comparison

Publication date: 2026-04-10

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
phpseclib is a PHP secure communications library. Prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp(), which short-circuits on the first differing byte. This is a real variable-time comparison (CWE-208), proven by scaling benchmarks. This vulnerability is fixed in 3.0.51, 2.0.53, and 1.0.28.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-21
Generated
2026-05-07
AI Q&A
2026-04-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40194
EUVD
EUVD-2026-21597
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
phpseclib phpseclib to 1.0.27 (inc)
phpseclib phpseclib From 2.0.0 (inc) to 2.0.53 (exc)
phpseclib phpseclib From 3.0.0 (inc) to 3.0.51 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the phpseclib PHP secure communications library, specifically in the Net\SSH2::get_binary_packet() function. The function uses PHP's != operator to compare a received SSH packet HMAC against a locally computed HMAC. Because PHP's != operator on equal-length binary strings uses memcmp(), which stops comparing at the first differing byte, this results in a variable-time comparison. This timing difference can be exploited, making it a timing side-channel vulnerability (CWE-208).

The vulnerability was fixed in versions 3.0.51, 2.0.53, and 1.0.28 of phpseclib.


How can this vulnerability impact me? :

Because the comparison of HMAC values is done in variable time, an attacker could potentially measure the time it takes to compare HMACs and use this information to deduce the correct HMAC value byte-by-byte. This could lead to an attacker bypassing authentication or integrity checks in SSH communications, potentially allowing unauthorized access or data manipulation.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update phpseclib to version 3.0.51, 2.0.53, or 1.0.28 or later, where the issue with the insecure comparison operator in get_binary_packet() has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart