CVE-2026-33117
CriticalSummary
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks.
Risk Assessment
Organizations using the vulnerable version of the library may be exposed to attacks that allow bypassing integrity verification of data, potentially leading to unauthorized access to sensitive information.
Recommendation
It is recommended to update the library to version 4.10.6 to mitigate this vulnerability and secure applications against potential attacks.
Original NVD description (English source)
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.

