Variable-time Comparison Flaw in phpseclib Library
CVE-2026-40194

3.7LOW

Key Information:

Vendor

PHPseclib

Status
PHPseclib
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40194?

The phpseclib library, known for its secure communications capabilities, contains a flaw in the SSH packet HMAC comparison process. Preceding versions utilize the PHP '!=' operator for this comparison, which can lead to variable-time execution due to its reliance on memcmp(). This weakness allows attackers to potentially exploit timing discrepancies to infer information about the HMAC, compromising security. The vulnerability has been addressed in version 3.0.51, 2.0.53, and 1.0.28.

Affected Version(s)

phpseclib < 1.0.28 < 1.0.28

phpseclib >= 2.0.0, < 2.0.53 < 2.0.0, 2.0.53

phpseclib >= 3.0.0, < 3.0.51 < 3.0.0, 3.0.51

References

https://github.com/phpseclib/phpseclib/security/advisorie...
x_refsource_CONFIRM
https://github.com/phpseclib/phpseclib/commit/ffe48b6b1b1...
x_refsource_MISC
https://github.com/phpseclib/phpseclib/releases/tag/1.0.28
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.