UBUNTU-CVE-2026-13758

Source
https://ubuntu.com/security/CVE-2026-13758
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13758.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-13758
Upstream
Published
2026-06-29T21:16:00Z
Modified
2026-07-01T23:38:36.325276424Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

CryptX versions before 0.088001 for Perl compare AEAD authentication tags in non-constant time in the streaming decryptdone path. The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *decryptverify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison. The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.

References

Affected packages

Ubuntu:25.10
libcryptx-perl

Package

Name
libcryptx-perl
Purl
pkg:deb/ubuntu/libcryptx-perl?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.085-1
0.087-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libcryptx-perl",
            "binary_version": "0.087-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13758.json"
Ubuntu:26.04:LTS
libcryptx-perl

Package

Name
libcryptx-perl
Purl
pkg:deb/ubuntu/libcryptx-perl?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.087-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libcryptx-perl",
            "binary_version": "0.087-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13758.json"
Ubuntu:Pro:18.04:LTS
libcryptx-perl

Package

Name
libcryptx-perl
Purl
pkg:deb/ubuntu/libcryptx-perl?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.055-1
0.056-1
0.056-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libcryptx-perl",
            "binary_version": "0.056-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13758.json"
Ubuntu:Pro:20.04:LTS
libcryptx-perl

Package

Name
libcryptx-perl
Purl
pkg:deb/ubuntu/libcryptx-perl?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.064-1
0.064-1build1
0.066-1
0.067-1
0.067-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libcryptx-perl",
            "binary_version": "0.067-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13758.json"
Ubuntu:Pro:22.04:LTS
libcryptx-perl

Package

Name
libcryptx-perl
Purl
pkg:deb/ubuntu/libcryptx-perl?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.069-1build1
0.073-1
0.074-1
0.075-1
0.076-1
0.076-1build1
0.076-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libcryptx-perl",
            "binary_version": "0.076-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13758.json"
Ubuntu:Pro:24.04:LTS
libcryptx-perl

Package

Name
libcryptx-perl
Purl
pkg:deb/ubuntu/libcryptx-perl?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.078-1
0.080-1
0.080-2
0.080-2build1
0.080-2build2
0.080-2build3
0.080-2ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libcryptx-perl",
            "binary_version": "0.080-2ubuntu0.1~esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13758.json"