222 matches found
bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons
A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...
bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons
A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...
Apache Tomcat - AJP secret compared in non-constant time
Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: The AJP secret was compared in non-constant time allowing an attacker on the local network to mount a timing...
CVE-2026-43514
CVE-2026-43514 describes an observable timing discrepancy in comparing the AJP secret in Apache Tomcat. Affected are Tomcat 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109 (older unsupported versions may also be affe...
CVE-2026-43383
A flaw was found in the Linux kernel's TCP MD5 signature option. This vulnerability allows a remote attacker to perform timing attacks due to a non-constant-time comparison of Message Authentication Codes MACs. By observing the time taken for MAC comparisons, an attacker could potentially infer...
RHEL 7 / 8 / 9 : Red Hat JBoss Enterprise Application Platform 7.4.24 (RHSA-2026:12267)
The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:12267 advisory. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This...
Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.24 security update
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons
A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...
Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.24 security update
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons
A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...
EUVD-2026-22872
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84...
BIT-AUTHENTIK-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view
authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRETKEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be...
CVE-2026-5598
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84...
DEBIAN-CVE-2026-5598
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84...
CVE-2026-5598
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84...
PT-2026-33032
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84...
Bouncy Castle Java 安全漏洞
Bouncy Castle Java is an open-source encryption algorithm developed by Legion of the Bouncy Castle Inc. There were security vulnerabilities in Bouncy Castle Java versions from 2.17.3 to 1.84. These vulnerabilities stemmed from non-constant time comparisons, which could lead to the exposure of the...
Node.js: Node.js: Information disclosure via timing oracle in HMAC verification
A flaw was found in Node.js. The HMAC Hash-based Message Authentication Code verification process uses a comparison method that does not take a constant amount of time. This non-constant-time comparison can leak timing information, which, under specific conditions where precise timing measurement...
CVE-2026-21713
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...
CVE-2026-21713
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...