CryptX for Perl implements tag verification in the streaming decrypt_done path by comparing the supplied tag against the computed tag using a non‑constant‑time memNE operation that stops at the first differing byte. This early‑exit behavior creates a timing side‑channel that an attacker can exploit to perform a tag‑verification oracle. By repeatedly submitting candidate tags for the same nonce, ciphertext and associated data while precisely measuring elapsed time, an attacker can recover the expected tag one byte at a time and forge authenticated messages that will be accepted by the library.

All versions of CryptX for Perl prior to 0.088_001 are affected. The flaw spans the five AEAD modes supported—GCM, CCM, ChaCha20Poly1305, EAX, and OCB—while the one‑shot *_decrypt_verify helpers remain safe because they perform constant‑time comparison internally. The affected vendor is MIK and the product is CryptX, obtainable through CPAN.

A CVSS score is not provided in the public data, and the EPSS score is reported as unavailable, but the presence of a measurable timing oracle suggests a high potential for successful exploitation in environments where the attacker can observe decryption latency. The flaw is not listed in the CISA KEV catalog. If the application exposes the decrypt_done routine to untrusted clients—such as network services or plugins—it can be targeted remotely. Even in a local context, any privileged code that can supply tags to the library may forge messages, leading to privilege escalation or data tampering.