CVE-2026-13758

Received Received - Intake

Timing Side-Channel in CryptX Perl Module

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: CPANSec

Description

CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path. The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison. The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-30

AI Q&A

2026-06-30

EPSS Evaluated

N/A

NVD

CVE-2026-13758

Affected Vendors & Products

Vendor	Product	Version / Range
cryptx	cryptx	to 0.088_001 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-208	Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

Impact Analysis

This vulnerability can allow an attacker to perform a timing attack to recover the authentication tag byte by byte.

By exploiting this, an attacker could forge a valid message that passes authentication, potentially leading to unauthorized data manipulation or injection.

Such forged messages could compromise the integrity and authenticity guarantees provided by the AEAD encryption modes, undermining the security of communications or stored data relying on CryptX.

Executive Summary

This vulnerability exists in CryptX versions before 0.088_001 for Perl, where the AEAD authentication tags are compared in a non-constant time manner during the streaming decrypt_done path.

Specifically, the decrypt_done($tag) function compares the provided tag against the computed tag using memNE (memcmp() != 0), which stops comparing as soon as it finds a differing byte. This means the time taken depends on how many leading bytes match.

This timing difference creates a tag-verification oracle, allowing an attacker who can submit many candidate tags for the same nonce, ciphertext, and associated data, and measure the timing precisely, to recover the expected tag byte by byte and forge a message that verifies.

The vulnerability affects all five AEAD modes supported: GCM, CCM, ChaCha20Poly1305, EAX, and OCB. However, the one-shot *_decrypt_verify helpers are not affected because they use constant-time comparison inside libtomcrypt.

Hi! I’m here to help you understand CVE-2026-13758. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70