CVE-2026-6458 (GCVE-0-2026-6458)
Vulnerability from cvelistv5 – Published: 2026-06-23 23:49 – Updated: 2026-06-24 13:15 X_Open Source
VLAI
Title
AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty
Summary
Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.
This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-325 - Missing Cryptographic Step
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Caliptra | Core Runtime Firmware |
Affected:
2.0.0 , ≤ 2.0.1
(semver)
Affected: 2.1.0 (semver) Unaffected: 2.0.2 (semver) Unaffected: 2.1.1 (semver) |
Date Public
2026-06-23 19:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6458",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T13:14:19.562293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T13:15:03.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/chipsalliance/caliptra-sw",
"defaultStatus": "unaffected",
"modules": [
"aes_256_gcm_update"
],
"packageName": "Core Runtime Firmware",
"product": "Core Runtime Firmware",
"vendor": "Caliptra",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.0.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.1.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "NVIDIA Offensive Security Research (OSR) team"
}
],
"datePublic": "2026-06-23T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.\u003cp\u003eThis issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.\u003c/p\u003e"
}
],
"value": "Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.\n\nThis issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-325",
"description": "CWE-325 Missing Cryptographic Step",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T23:49:44.591Z",
"orgId": "b01ddd03-5ef6-483b-b2c5-acba77f1a554",
"shortName": "Caliptra"
},
"references": [
{
"url": "https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-834g-h5x6-2hqr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "b01ddd03-5ef6-483b-b2c5-acba77f1a554",
"assignerShortName": "Caliptra",
"cveId": "CVE-2026-6458",
"datePublished": "2026-06-23T23:49:44.591Z",
"dateReserved": "2026-04-16T21:11:47.086Z",
"dateUpdated": "2026-06-24T13:15:03.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-6458",
"date": "2026-06-26",
"epss": "0.00128",
"percentile": "0.0283"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6458\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-24T13:14:19.562293Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-24T13:14:56.051Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"NVIDIA Offensive Security Research (OSR) team\"}], \"impacts\": [{\"capecId\": \"CAPEC-148\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-148 Content Spoofing\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Caliptra\", \"modules\": [\"aes_256_gcm_update\"], \"product\": \"Core Runtime Firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.0.1\"}, {\"status\": \"affected\", \"version\": \"2.1.0\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"2.0.2\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"2.1.1\", \"versionType\": \"semver\"}], \"packageName\": \"Core Runtime Firmware\", \"collectionURL\": \"https://github.com/chipsalliance/caliptra-sw\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-06-23T19:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-834g-h5x6-2hqr\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.\\n\\nThis issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.\u003cp\u003eThis issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-325\", \"description\": \"CWE-325 Missing Cryptographic Step\"}]}], \"providerMetadata\": {\"orgId\": \"b01ddd03-5ef6-483b-b2c5-acba77f1a554\", \"shortName\": \"Caliptra\", \"dateUpdated\": \"2026-06-23T23:49:44.591Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-6458\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-24T13:15:03.109Z\", \"dateReserved\": \"2026-04-16T21:11:47.086Z\", \"assignerOrgId\": \"b01ddd03-5ef6-483b-b2c5-acba77f1a554\", \"datePublished\": \"2026-06-23T23:49:44.591Z\", \"assignerShortName\": \"Caliptra\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…