JLSEC-2026-524

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS1 v1.5 padding...

guntls: gnutls: Information disclosure via timing side-channel in PKCS#7 padding removal

A flaw was found in gnutls. The PKCS7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of...

MGASA-2025-0287 Updated perl-Crypt-OpenSSL-RSA packages fix security vulnerability

Perl-crypt-openssl-rsa: side-channel attack in pkcs1 v1.5 padding mode marvin attack. CVE-2024-2467...

CVE-2025-9071 Insecure RSA-OAEP implementation with all-zero seed for padding in Oberon PSA Crypto

Erroneously using an all-zero seed for RSA-OEAP padding instead of the generated random bytes, in Oberon microsystems AG’s Oberon PSA Crypto library in all versions up to 1.5.1, results in deterministic RSA and thus in a loss of confidentiality for guessable messages, recognition of repeated...

CVE-2025-7383 Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in Oberon PSA Crypto library

Padding oracle attack vulnerability in Oberon microsystem AG’s Oberon PSA Crypto library in all versions since 1.0.0 and prior to 1.5.1 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS7 decrypt operations...

Medium: perl-Crypt-OpenSSL-RSA

Issue Overview: A timing-based side-channel flaw exists in the perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial...

Covert Timing Channel

Overview Affected versions of this package are vulnerable to Covert Timing Channel in block cipher padding removal. An attacker can recover plaintext data by exploiting timing discrepancies during decryption when PKCS7 padding mode is used. Remediation Upgrade mbedtls to version 3.6.4 or higher...

DEBIAN-CVE-2023-46809

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/hkario/marvin/, if PCKS 1 v1.5 padding is allowed when performing RSA descryption using a privat...

UBUNTU-CVE-2023-5992

A vulnerability was found in OpenSC where PKCS1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data...

gnutls: timing side-channel in the RSA-PSK authentication

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS1 v1.5 padding...

OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547)

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or...

gnutls: timing side-channel in the RSA-PSK authentication

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS1 v1.5 padding...

php: potential exposure to Marvin attack via unsafe implementation of RSA decryption API

The RSA decryption implementation using PKCS1 v1.5 padding in OpenSSL is vulnerable to a timing side-channel attack known as the Marvin Attack. This vulnerability arises because the execution time of the opensslprivatedecrypt function in PHP with OpenSSL varies based on whether a valid message is...

PT-2023-31717 · Crypto++ +1 · Crypto++ +1

Name of the Vulnerable Software and Affected Versions: Crypto++ versions through 8.9.0 Description: The issue is related to a Marvin side channel during decryption with PKCS1 v1.5 padding. Recommendations: For versions through 8.9.0, update to a version that contains a fix for this issue to preve...

ALPINE-CVE-2023-5981

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS1 v1.5 padding...

SUSE CVE-2015-7827

Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remote attackers to conduct million-message attacks by measuring time differences, related to decoding of PKCS1 padding...

CVE-2022-25218

The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetdstartup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the "plaintext" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's...

Design/Logic Flaw

The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetdstartup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the "plaintext" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's...

Multiple RSA implementations fail to properly handle signatures

Overview Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures. Description RSA signatures are used to authenticate the source of a message. To prevent RSA signatures from being forged, messages are padded with data t...

openssl signature forgery

OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS 1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying...