Description
In the Linux kernel, the following vulnerability has been resolved:

net/tcp-ao: Fix MAC comparison to be constant-time

To prevent timing attacks, MACs need to be compared in constant
time. Use the appropriate helper function for this.
Published: 2026-05-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel’s TCP‑Authenticated‑Over stack compares Message Authentication Codes (MACs) using a routine that can reveal timing information, creating a side‑channel that could let a remote attacker infer the correct MAC by measuring packet processing time. This inference is based on the described mitigation of timing attacks and the nature of MAC comparisons. The patch replaces the non‑constant‑time logic with a constant‑time helper function, eliminating the leakage and mitigating a potential timing side‑channel, classified as CWE‑208.

Affected Systems

All Linux kernel releases that include TCP‑AO, as indicated by the supplied CPEs, are affected. No specific kernel versions are listed, so any installation where TCP‑AO is enabled is potentially vulnerable.

Risk and Exploitability

The CVSS score of 9.8 signals a severe vulnerability, but the EPSS score of less than 1% indicates a very low probability of public exploitation. The vulnerability is not in the CISA KEV catalog, so no widespread attacks are documented. A likely exploitation scenario would involve a remote attacker sending crafted packets to a host with TCP‑AO enabled and performing precise timing analysis of packet handling durations.

Generated by OpenCVE AI on May 26, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the constant‑time MAC comparison patch
  • If an upgrade is not immediately possible, disable or restrict the use of TCP‑AO on affected hosts
  • Continuously monitor vendor advisories for additional patches or guidance

Generated by OpenCVE AI on May 26, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 09 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-613

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-208
References

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-613

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/tcp-ao: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.
Title net/tcp-ao: Fix MAC comparison to be constant-time
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:23:32.719Z

Reserved: 2026-05-01T14:12:56.006Z

Link: CVE-2026-43384

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:49.720

Modified: 2026-05-26T17:05:52.327

Link: CVE-2026-43384

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43384 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T19:15:13Z

Weaknesses