AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When...

5.1 / 10

MEDIUM

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Description

Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.

This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.

Basic Information

ID CVE-2026-6458

Source Caliptra

Published Jun 23, 2026 at 23:49

Affected Product

Vendor Caliptra

Product Core Runtime Firmware

Version 2.0.0

Affected Versions Caliptra Core Runtime Firmware 2.0.0
Caliptra Core Runtime Firmware 2.1.0

CWE Classification

CWE-325

References

github.com /chipsalliance/caliptra-sw/security/advisories/GHSA-834g-h5x6-2hqr

{
    "lastseen": "",
    "description": "Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.\n\nThis issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.",
    "published": "2026-06-23T23:49:44.591Z",
    "modified": "2026-06-23T23:49:44.591Z",
    "type": "cve",
    "title": "AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty",
    "source": "Caliptra",
    "references": "https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-834g-h5x6-2hqr",
    "id": "CVE-2026-6458",
    "bulletinFamily": "",
    "cwe": [
        "CWE-325"
    ],
    "cvelist": null,
    "sourceData": "Caliptra Core Runtime Firmware 2.0.0\nCaliptra Core Runtime Firmware 2.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Core Runtime Firmware",
    "version": "2.0.0",
    "vendor": "Caliptra",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty_CVE-2026-6458