CVE Catalog

CVE-2026-6092

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

Vulnerability in TLS/DTLS implementation where, when HAVE_ENCRYPT_THEN_MAC is configured, the system may incorrectly fall back to MAC-then-Encrypt instead of enforcing Encrypt-then-MAC.

Risk Assessment

An attacker could exploit this flaw to perform a padding oracle attack, potentially leading to data decryption or compromise of communication confidentiality.

Recommendation

It is recommended to update the TLS/DTLS library to the latest version that enforces Encrypt-then-MAC, or disable the HAVE_ENCRYPT_THEN_MAC option if not required.

Original NVD description (English source)

When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS