CVE-2026-13758
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
A vulnerability in CryptX versions before 0.088_001 for Perl causes AEAD authentication tag comparison in the decrypt_done path to be non-constant time. The decrypt_done($tag) function uses memNE (memcmp() != 0), which short-circuits on the first differing byte, making execution time depend on the number of matching leading bytes.
Risk Assessment
An attacker can exploit the timing difference as an oracle to recover the expected tag byte by byte, enabling forgery of authenticated messages. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX, and OCB.
Recommendation
Immediately update the CryptX library to version 0.088_001 or later, which includes a fix ensuring constant-time tag comparison.
Original NVD description (English source)
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path. The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison. The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.

