RustSec logo

HistoryEditJSON (OSV)

RUSTSEC-2026-0211

Non-constant time Authentication Tag Check in AES-GCM Decryption

Reported
Issued
Package
libcrux-aesgcm (crates.io)
Type
Vulnerability
Categories
References
CVSS Score
6.3 MEDIUM
CVSS Details
Attack Complexity
Low
Attack Requirements
Present
Attack Vector
Network
Privileges Required
None
Availability Impact to the Subsequent System
None
Confidentiality Impact to the Subsequent System
None
Integrity Impact to the Subsequent System
None
User Interaction
None
Availability Impact to the Vulnerable System
None
Confidentiality Impact to the Vulnerable System
None
Integrity Impact to the Vulnerable System
Low
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Patched
no patched versions
Affected Functions
Version
libcrux_aesgcm::AesGcm128Key::decrypt
  • <=0.0.8
libcrux_aesgcm::AesGcm256Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::AesGcm128::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::neon::NeonAesGcm128::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::portable::PortableAesGcm128::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_128::x64::X64AesGcm128::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::AesGcm256::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::neon::NeonAesGcm256::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::portable::PortableAesGcm256::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::Key::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::KeyRef::decrypt
  • <=0.0.8
libcrux_aesgcm::aes_gcm_256::x64::X64AesGcm256::decrypt
  • <=0.0.8

Description

AES-GCM decryption used an implementation for checking the provided authentication tag against the recomputed authentication tag that was intended to be constant-time, but resulted in non-constant-time code generation in certain circumstances. Note that libcrux-aesgcm does not give guarantees on constant-time code generation and possible mitigations must be considered on a best-effort basis.

Impact

Users of libcrux-aesgcm that expose a decryption oracle to an attacker, which allows repeatedly querying for the same ciphertext were at risk from timing side-channel attacks, depending on their compilation environment. In the worst case, this could lead to recovery of the recomputed authentication tag by the attacker, which enables ciphertext forgery.

Mitigation

Starting from version 0.0.9 (published as libcrux-aes@v0.0.9), AES-GCM decryption uses a different, best-effort constant-time implementation of the tag check, which has been checked to reliably lead to constant time code generation, at the moment.

Advisory available under CC0-1.0 license.