CVE-2026-40194
Modified Modified - Updated After Analysis
Timing Side-Channel in phpseclib SSH2 HMAC Comparison

Publication date: 2026-04-10

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
phpseclib is a PHP secure communications library. Starting in 0.1.1 and prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp(), which short-circuits on the first differing byte. This is a real variable-time comparison (CWE-208), proven by scaling benchmarks. This vulnerability is fixed in 3.0.51, 2.0.53, and 1.0.28.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40194
EUVD
EUVD-2026-21597
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
phpseclib phpseclib to 1.0.27 (inc)
phpseclib phpseclib From 2.0.0 (inc) to 2.0.53 (exc)
phpseclib phpseclib From 3.0.0 (inc) to 3.0.51 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the phpseclib PHP secure communications library, specifically in the Net\SSH2::get_binary_packet() function. The function uses PHP's != operator to compare a received SSH packet HMAC against a locally computed HMAC. Because PHP's != operator on equal-length binary strings uses memcmp(), which stops comparing at the first differing byte, this results in a variable-time comparison. This timing difference can be exploited, making it a timing side-channel vulnerability (CWE-208).

The vulnerability was fixed in versions 3.0.51, 2.0.53, and 1.0.28 of phpseclib.

Impact Analysis

Because the comparison of HMAC values is done in variable time, an attacker could potentially measure the time it takes to compare HMACs and use this information to deduce the correct HMAC value byte-by-byte. This could lead to an attacker bypassing authentication or integrity checks in SSH communications, potentially allowing unauthorized access or data manipulation.

Mitigation Strategies

To mitigate this vulnerability, update phpseclib to version 3.0.51, 2.0.53, or 1.0.28 or later, where the issue with the insecure comparison operator in get_binary_packet() has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart