CVE-2026-6458
Awaiting Analysis
Awaiting Analysis - Queue
Incorrect GCM Authentication Tag in Caliptra Core Firmware
Vulnerability report for CVE-2026-6458, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-24
Last updated on: 2026-06-24
Assigner: b01ddd03-5ef6-483b-b2c5-acba77f1a554
Description
Description
Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.
This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nvidia | caliptra_runtime | From 2.0.0 (inc) to 2.0.1 (inc) |
| nvidia | caliptra_runtime | 2.1.0 |
| nvidia | caliptra_runtime | 2.0.2 |
| nvidia | caliptra_runtime | 2.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-325 | The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. |