Lucene search
+L

937 matches found

NVD
NVD
added yesterday7 views

CVE-2026-9537

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of...

Exploits0References2
Cvelist
Cvelist
added yesterday21 views

CVE-2026-9537 Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of...

Exploits0References1
NVD
NVD
added 3 days ago6 views

CVE-2026-56764

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing...

6.3CVSS0.00229EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago32 views

CVE-2026-56764 Hono - Timing Attack in basicAuth and bearerAuth Middleware

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing...

6.3CVSS0.00229EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago4 views

EUVD-2026-44631

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing...

6.3CVSS6.1AI score0.00229EPSS
Exploits0References2
OSV
OSV
added 3 days ago4 views

CVE-2026-56764 Hono - Timing Attack in basicAuth and bearerAuth Middleware

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing...

6.3CVSS6.1AI score0.00229EPSS
Exploits0References4
OSV
OSV
added 4 days ago5 views

JLSEC-2026-688 Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into...

Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks...

1CVSS6.1AI score0.00129EPSS
Exploits0References3
OSV
OSV
added 4 days ago4 views

JLSEC-2026-709

wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions sp256mul9, sp256sqr9, etc., leading to a timing...

5.9CVSS6.1AI score0.00265EPSS
Exploits0References1
OSV
OSV
added 4 days ago4 views

JLSEC-2026-745 Bleichenbacher padding oracle in PKCS#7 KTRI decryption. When decrypting PKCS#7 EnvelopedData...

Bleichenbacher padding oracle in PKCS7 KTRI decryption. When decrypting PKCS7 EnvelopedData using RSA PKCS1 v1.5 key transport, wolfSSL returned distinguishable error codes depending on whether RSA padding validation failed versus whether the decrypted content was malformed. An attacker able to...

6.5CVSS6.1AI score0.00152EPSS
Exploits0References5
NVD
NVD
added 2026/07/08 11:16 a.m.9 views

CVE-2026-15041

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash...

3.7CVSS0.003EPSS
Exploits0References2
OSV
OSV
added 2026/07/08 11:16 a.m.4 views

DEBIAN-CVE-2026-15041

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash...

3.7CVSS6.1AI score0.003EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/08 10:15 a.m.8 views

CVE-2026-15041

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash...

3.7CVSS5.9AI score0.003EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/08 10:15 a.m.50 views

CVE-2026-15041 389-ds-base: 389-ds-base: non-constant-time comparison in pbkdf2-sha256 password verification

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash...

3.7CVSS0.003EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/07/08 10:15 a.m.6 views

CVE-2026-15041

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash...

3.7CVSS5.9AI score0.003EPSS
Exploits0References3
OPENSUSE Linux
OPENSUSE Linux
added 2026/07/07 12:0 a.m.5 views

Security update for perl-Crypt-SaltedHash (critical)

openSUSE Security Update: Security update for perl-Crypt-SaltedHash Announcement ID: openSUSE-SU-2026:0230-1 Rating: critical References: 1265912 1265927 Cross-References: CVE-2026-47372 CVE-2026-47373 Affected Products: openSUSE Backports SLE-15-SP7 An update that fixes two vulnerabilities is no...

9.1CVSS5.9AI score0.00397EPSS
Exploits0References2
NVD
NVD
added 2026/07/06 8:16 p.m.6 views

CVE-2026-41516

OP-TEE is a Trusted Execution Environment TEE designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA PKCS1 v1.5 decryption implementation in the Hisilicon HPRE crypto driver...

3.3CVSS0.00099EPSS
Exploits1References1
CVE
CVE
added 2026/07/06 7:25 p.m.16 views

CVE-2026-41515

OP-TEE (Trusted Execution Environment for Arm Cortex-A TrustZone) has a vulnerability in the RSA-OAEP decryption path within the NXP CAAM crypto driver. From version 3.9.0 up to, but not including, 4.11.0, the driver uses non-constant-time memcmp() for label hash verification, exposing a Manger-s...

3.3CVSS6AI score0.00094EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/30 2:26 p.m.36 views

CVE-2026-27882 Coolify: Timing Attack in GitLab Webhook Token Validation

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator !== to validate the webhook secret token. This implementation is vulnerable to timing attack...

4.8CVSS0.00146EPSS
Exploits0References1
OSV
OSV
added 2026/06/29 9:16 p.m.7 views

UBUNTU-CVE-2026-13758

CryptX versions before 0.088001 for Perl compare AEAD authentication tags in non-constant time in the streaming decryptdone path. The decryptdone$tag form compares it against the computed tag with memNE memcmp != 0, which short-circuits on the first differing byte, so its run time depends on the...

3.7CVSS5.8AI score0.00295EPSS
Exploits0References6
Debian CVE
Debian CVE
added 2026/06/29 8:42 p.m.7 views

CVE-2026-13758

CryptX versions before 0.088001 for Perl compare AEAD authentication tags in non-constant time in the streaming decryptdone path. The decryptdone$tag form compares it against the computed tag with memNE memcmp != 0, which short-circuits on the first differing byte, so its run time depends on the...

3.7CVSS5.8AI score0.00295EPSS
Exploits0
Rows per page
Query Builder