VDB
KO

RUSTSEC-2026-0211

Non-constant time Authentication Tag Check in AES-GCM Decryption

Details

AES-GCM decryption used an implementation for checking the provided authentication tag against the recomputed authentication tag that was intended to be constant-time, but resulted in non-constant-time code generation in certain circumstances. Note that `libcrux-aesgcm` does not give guarantees on constant-time code generation and possible mitigations must be considered on a best-effort basis.

## Impact Users of `libcrux-aesgcm` that expose a decryption oracle to an attacker, which allows repeatedly querying for the same ciphertext were at risk from timing side-channel attacks, depending on their compilation environment. In the worst case, this could lead to recovery of the recomputed authentication tag by the attacker, which enables ciphertext forgery.

## Mitigation Starting from version `0.0.9` (published as `libcrux-aes@v0.0.9`), AES-GCM decryption uses a different, best-effort constant-time implementation of the tag check, which has been checked to reliably lead to constant time code generation, at the moment.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / libcrux-aesgcm
Introduced in: 0.0.0-0

No fixed version published yet for libcrux-aesgcm. Pin to a known-safe version or switch to an alternative.

References