CVE-2026-13758
Real vuln, fresh NVD listing, but no PoC, KEV, or defender triage signal yet.
What: CryptX Perl library versions before 0.088_001 perform non-constant-time comparison of AEAD authentication tags in streaming decrypt_done(), enabling timing-based tag forgery across GCM, CCM, ChaCha20Poly1305, EAX, and OCB modes.
Why it matters: Published June 29, 2026; timing oracle allows attackers to recover authentication tags byte-by-byte and forge authenticated messages. Not KEV-listed; no public PoC or vendor advisories detected yet in supplied metadata. Early-stage disclosure.
Where it's seen: Bluesky posts republishing NVD description verbatim; predominantly Russian-language crypto security blogs amplifying the advisory. No defender questions, no PoC drops, no urgent patching signals yet.
RISK: HIGH — Cryptographic oracle in streaming mode affects all AEAD implementations; forgery possible.
Description
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path. The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison. The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.