CVE-2026-5419
GnuTLS PKCS#7 Padding Timing Side-Channel Vulnerability
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnutls | gnutls | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in gnutls related to the PKCS#7 padding check during decryption. The padding check is not performed in constant time, which means the time it takes to check the padding can vary depending on the data.
Because of this timing difference, a remote attacker could potentially observe these variations and use them as a side-channel to leak sensitive information about the padding bytes.
This type of vulnerability is classified as an information disclosure issue.
How can this vulnerability impact me? :
This vulnerability could allow a remote attacker to gain sensitive information by exploiting timing differences during the decryption process.
Although the impact is limited to information disclosure and does not affect integrity or availability, leaking padding information could potentially aid attackers in further cryptographic attacks or data recovery.
The CVSS score of 3.7 indicates a low severity, meaning the impact is limited but still relevant for security considerations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability is an information disclosure flaw in gnutls where a timing side-channel could allow a remote attacker to leak sensitive information about padding bytes.
Such information disclosure vulnerabilities can potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized data leakage.
However, the provided information does not specify the exact compliance impact or whether this vulnerability has been linked to any compliance violations.