← Back

CVE-2026-40194

nvd nist
Published: Apr 10, 2026Modified: May 8, 2026

JSON object

Loading...
3.7
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability: 2.2 / Impact: 1.4
Source: security-advisories@github.com (Secondary)

Description

phpseclib is a PHP secure communications library. Starting in 0.1.1 and prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp(), which short-circuits on the first differing byte. This is a real variable-time comparison (CWE-208), proven by scaling benchmarks. This vulnerability is fixed in 3.0.51, 2.0.53, and 1.0.28.

Affected (3)

Products: Phpseclib: Phpseclib
Phpseclib
1 product
Phpseclib
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Phpseclib
Phpseclib
Up to 1.0.27
Phpseclib
From 2.0.0 to 2.0.53
Phpseclib
From 3.0.0 to 3.0.51

Related CWEs

CWE-208
Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (6)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Vendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Vendor Advisory

Timeline

No history available yet.