23 matches found
UBUNTU-CVE-2026-50722
Libreswan, via the function RSAauthenticatehashsignaturepkcs115rsa, did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v15 RFC 8017. A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload...
CVE-2026-6291
Bleichenbacher padding oracle in PKCS7 KTRI decryption. When decrypting PKCS7 EnvelopedData using RSA PKCS1 v1.5 key transport, wolfSSL returned distinguishable error codes depending on whether RSA padding validation failed versus whether the decrypted content was malformed. An attacker able to...
CVE-2026-33662 OP-TEE: RSASSA EMSA- PKCS1-v1_5 underflow in emsa_pkcs1_v1_5_encode()
OP-TEE is a Trusted Execution Environment TEE designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function emsapkcs1v15encode in core/drivers/crypto/cryptoapi/acipher/rsassa.c, the amount of padding needed, "...
EUVD-2018-8004
Malware in sbrugna...
nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)
A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...
nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)
A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...
PT-2024-25007 · Unknown +1 · Rust-Openssl +1
Name of the Vulnerable Software and Affected Versions: rust-openssl affected versions not specified Description: A timing-based side-channel flaw exists in the rust-openssl package, which could be sufficient to recover a plaintext across a network in a Bleichenbacher-style attack. To achieve...
opencryptoki security update
3.21.0-9 - timing side-channel in handling of RSA PKCS1 v1.5 padded ciphertexts Marvin Resolves: RHEL-22792...
USN-6663-1 openssl update
As a security improvement, OpenSSL will now return deterministic random bytes instead of an error when detecting wrong padding in PKCS1 v1.5 RSA to prevent its use in possible Bleichenbacher timing attacks...
CVE-2023-50979
Crypto++ aka cryptopp through 8.9.0 has a Marvin side channel during decryption with PKCS1 v1.5 padding...
PT-2023-36151 · Openssl +1 · Openssl +1
Name of the Vulnerable Software and Affected Versions: openssl-ibmca versions prior to 2.4.0 Description: The issue concerns adjustments and fixes for OpenSSL versions 3.1 and 3.2, including support for RSA blinding, constant-time fixes for RSA PKCS1 v1.5 and OAEP padding, and support for 'implic...
DEBIAN-CVE-2022-24773
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that...
DEBIAN-CVE-2021-30130
phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS1 v1.5 signature verification...
AZL-34969 CVE-2020-25657 affecting package m2crypto for versions less than 0.38.0-3
A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality...
Lennyniu Tlslite-ng Encryption Problem Vulnerability
Lennyniu Tlslite-ng is a Python-based codebase used to provide SSLv3.0, TLS 1.0, TLS 1.1 and TLS 1.2 by the individual developer Lennyniu. A cryptographically problematic vulnerability previously existed in tlslite-ng 0.7.6 and 0.8.0-alpha39, which stemmed from code that relied on data to perform...
CVE-2020-14967
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts it decrypts modified ciphertexts without error. An attacker might prepend these bytes with the...
Memory corruption
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts it decrypts modified ciphertexts without error. An attacker might prepend these bytes with the...
CVE-2020-14967
CVE-2020-14967 affects the jsrsasign package for Node.js prior to version 8.0.18. The RSA PKCS1 v1.5 decryption path does not detect ciphertext modifications when zeros are prepended to ciphertexts, allowing modified ciphertexts to be decrypted without error and potentially triggering memory corr...
PT-2018-2489 · Gnu +2 · Gnutls +2
Name of the Vulnerable Software and Affected Versions: GnuTLS versions prior to 3.6.5 Description: The issue is related to an error in verifying decrypted RSA data, allowing an attacker to potentially access protected information through a side-channel cache attack. Specifically, a Bleichenbacher...
ALPINE-CVE-2018-16151
In verifyemsapkcs1signature in gmprsapublickey.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS1 v1.5 signature verification. Similar to the flaw in the same version of strongSwa...