CVE Catalog

CVE-2026-5419

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

A flaw was found in GnuTLS where the PKCS#7 padding check during decryption was not constant-time. This timing side-channel could allow a remote attacker to leak sensitive information about padding bytes through observable timing differences.

Risk Assessment

An attacker could exploit timing differences to recover sensitive data, posing a risk to the confidentiality of processed information in systems using GnuTLS for decryption with PKCS#7 padding.

Recommendation

Immediately update GnuTLS to a version that fixes the constant-time padding check for PKCS#7. If an update is not possible, consider temporarily disabling decryption with PKCS#7 padding.

Original NVD description (English source)

A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS