Unrated

Timing side-channel in CryptX AEAD streaming decrypt_done tag verification

IdentifiersCVE-2026-13758CWE-208

CVE-2026-13758 is an observable timing side-channel in CryptX for Perl affecting versions before 0.088_001. In the streaming AEAD decryption path, decrypt_done($tag) compares the caller-supplied authentication tag against the computed tag using memNE with memcmp()-style behavior. Because this comparison is not constant time and stops at the first differing byte, execution time varies with the number of matching leading bytes in the tag. The issue affects the AEAD modes GCM, CCM, ChaCha20Poly1305, EAX, and OCB. This creates a tag-verification oracle in the streaming API. The one-shot *_decrypt_verify helper functions are not affected because tag verification there is performed inside libtomcrypt using a constant-time comparison.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An attacker able to repeatedly test candidate tags for the same nonce, ciphertext, and associated data, while measuring response timing with sufficient precision, may recover the correct authentication tag incrementally byte by byte. This can allow forgery of a message that passes AEAD authentication checks in the vulnerable streaming verification path, undermining message integrity and authenticity guarantees for affected CryptX consumers.

Mitigation

If you can’t patch tonight, do this now.

Until patched, avoid using the streaming decrypt_done($tag) form for AEAD tag verification in affected CryptX versions. Where possible, switch to the one-shot *_decrypt_verify helpers, which are stated to be unaffected. Reduce attacker ability to perform repeated verification attempts against the same nonce, ciphertext, and associated data and to obtain precise timing measurements, although such measures are only partial mitigations and do not remove the underlying side channel.

Remediation

Patch, then assume compromise.

Upgrade CryptX to version 0.088_001 or later, where the vulnerable non-constant-time tag comparison in the streaming decrypt_done path has been corrected. If code changes are feasible, prefer the one-shot *_decrypt_verify helpers for AEAD verification because the provided context states those helpers perform constant-time verification inside libtomcrypt and are unaffected.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

7 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-13758

NVD

nvd.nist.gov/vuln/detail/CVE-2026-13758

MITRE CWE · CWE-208

cwe.mitre.org