{"api_version":"1","generated_at":"2026-06-24T11:06:35+00:00","cve":"CVE-2026-6458","urls":{"html":"https://cve.report/CVE-2026-6458","api":"https://cve.report/api/cve/CVE-2026-6458.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6458","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6458"},"summary":{"title":"AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty","description":"Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.\n\nThis issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.","state":"PUBLISHED","assigner":"Caliptra","published_at":"2026-06-24 00:16:34","updated_at":"2026-06-24 00:16:34"},"problem_types":["CWE-325","CWE-325 CWE-325 Missing Cryptographic Step"],"metrics":[{"version":"4.0","source":"b01ddd03-5ef6-483b-b2c5-acba77f1a554","type":"Secondary","score":"5.1","severity":"MEDIUM","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"5.1","severity":"MEDIUM","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":5.1,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-834g-h5x6-2hqr","name":"https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-834g-h5x6-2hqr","refsource":"b01ddd03-5ef6-483b-b2c5-acba77f1a554","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6458","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6458","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Caliptra","product":"Core Runtime Firmware","version":"affected 2.0.0 2.0.1 semver","platforms":[]},{"source":"CNA","vendor":"Caliptra","product":"Core Runtime Firmware","version":"affected 2.1.0 semver","platforms":[]},{"source":"CNA","vendor":"Caliptra","product":"Core Runtime Firmware","version":"unaffected 2.0.2 semver","platforms":[]},{"source":"CNA","vendor":"Caliptra","product":"Core Runtime Firmware","version":"unaffected 2.1.1 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"NVIDIA Offensive Security Research (OSR) team","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"collectionURL":"https://github.com/chipsalliance/caliptra-sw","defaultStatus":"unaffected","modules":["aes_256_gcm_update"],"packageName":"Core Runtime Firmware","product":"Core Runtime Firmware","vendor":"Caliptra","versions":[{"lessThanOrEqual":"2.0.1","status":"affected","version":"2.0.0","versionType":"semver"},{"status":"affected","version":"2.1.0","versionType":"semver"},{"status":"unaffected","version":"2.0.2","versionType":"semver"},{"status":"unaffected","version":"2.1.1","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"NVIDIA Offensive Security Research (OSR) team"}],"datePublic":"2026-06-23T19:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.<p>This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.</p>"}],"value":"Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.\n\nThis issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0."}],"impacts":[{"capecId":"CAPEC-148","descriptions":[{"lang":"en","value":"CAPEC-148 Content Spoofing"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":5.1,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-325","description":"CWE-325 Missing Cryptographic Step","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-23T23:49:44.591Z","orgId":"b01ddd03-5ef6-483b-b2c5-acba77f1a554","shortName":"Caliptra"},"references":[{"url":"https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-834g-h5x6-2hqr"}],"source":{"discovery":"UNKNOWN"},"tags":["x_open-source"],"title":"AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"b01ddd03-5ef6-483b-b2c5-acba77f1a554","assignerShortName":"Caliptra","cveId":"CVE-2026-6458","datePublished":"2026-06-23T23:49:44.591Z","dateReserved":"2026-04-16T21:11:47.086Z","dateUpdated":"2026-06-23T23:49:44.591Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 00:16:34","lastModifiedDate":"2026-06-24 00:16:34","problem_types":["CWE-325","CWE-325 CWE-325 Missing Cryptographic Step"],"metrics":{"cvssMetricV40":[{"source":"b01ddd03-5ef6-483b-b2c5-acba77f1a554","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6458","Ordinal":"1","Title":"AES-256-GCM Authentication Tag Does Not Cover First Ciphertext B","CVE":"CVE-2026-6458","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6458","Ordinal":"1","NoteData":"Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.\n\nThis issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.","Type":"Description","Title":"AES-256-GCM Authentication Tag Does Not Cover First Ciphertext B"}]}}}