CVE Catalog
CVE-2026-6092
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk0.21%
11th percentile — higher than 11% of all known CVEs
Summary
Vulnerability in TLS/DTLS implementation where, when HAVE_ENCRYPT_THEN_MAC is configured, the system may incorrectly fall back to MAC-then-Encrypt instead of enforcing Encrypt-then-MAC.
Risk Assessment
An attacker could exploit this flaw to perform a padding oracle attack, potentially leading to data decryption or compromise of communication confidentiality.
Recommendation
It is recommended to update the TLS/DTLS library to the latest version that enforces Encrypt-then-MAC, or disable the HAVE_ENCRYPT_THEN_MAC option if not required.
Original NVD description (English source)
When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC.

