Timing Oracle Vulnerability in CryptX for Perl by DCIT
CVE-2026-13758

Currently unrated

Key Information:

Vendor

Mik

Status
Cryptx
Vendor
CVE Published:
29 June 2026

What is CVE-2026-13758?

The vulnerability in CryptX for Perl arises from the comparison of AEAD authentication tags using non-constant time in the decrypt_done process. By utilizing memcmp() in a way that short-circuits based on matching leading bytes, attackers may exploit timing discrepancies to gain insights into tag verification. This could facilitate the forging of legitimate messages by submitting multiple candidate tags, exploiting the oracle to recover tags byte by byte. This impacts several AEAD modes including GCM, CCM, ChaCha20Poly1305, EAX, and OCB, while one-shot decryption helpers maintain secure constant-time comparisons.

Affected Version(s)

CryptX 0 < 0.088_001

References

https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf...
patch
https://metacpan.org/release/MIK/CryptX-0.088_001/changes
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.