CVE-2026-5419
Awaiting Analysis Awaiting Analysis - Queue
GnuTLS PKCS#7 Padding Timing Side-Channel Vulnerability

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: Red Hat, Inc.

Description
A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-20
NVD
CVE-2026-5419
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnutls gnutls *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in gnutls related to the PKCS#7 padding check during decryption. The padding check is not performed in constant time, which means the time it takes to check the padding can vary depending on the data.

Because of this timing difference, a remote attacker could potentially observe these variations and use them as a side-channel to leak sensitive information about the padding bytes.

This type of vulnerability is classified as an information disclosure issue.

Impact Analysis

This vulnerability could allow a remote attacker to gain sensitive information by exploiting timing differences during the decryption process.

Although the impact is limited to information disclosure and does not affect integrity or availability, leaking padding information could potentially aid attackers in further cryptographic attacks or data recovery.

The CVSS score of 3.7 indicates a low severity, meaning the impact is limited but still relevant for security considerations.

Compliance Impact

This vulnerability is an information disclosure flaw in gnutls where a timing side-channel could allow a remote attacker to leak sensitive information about padding bytes.

Such information disclosure vulnerabilities can potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized data leakage.

However, the provided information does not specify the exact compliance impact or whether this vulnerability has been linked to any compliance violations.

Mitigation Strategies

To mitigate this vulnerability, you should update the GnuTLS library to the fixed version where the padding removal logic has been rewritten to operate in a branch-free manner, eliminating the timing side-channel.

This update addresses the timing side-channel vulnerability in the PKCS#7 padding check during decryption and prevents potential information disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5419. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart