Description
Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.

This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.
Published: 2026-06-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A defect in the Caliptra Core Runtime Firmware’s aes_256_gcm_update module causes the GCM authentication tag to omit the first batch of ciphertext when the Additional Authenticated Data (AAD) is empty. Consequently, an attacker can alter the first block of encrypted data without the resulting tag detecting the tampering, potentially compromising data integrity.

Affected Systems

The vulnerability affects Caliptra Core Runtime Firmware versions 2.0.0 through 2.0.1 and 2.1.0.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, but the lack of an EPSS score and absence from the CISA KEV catalog suggest a lower likelihood of widespread exploitation at this time. The likely attack vector is an attacker who can supply crafted ciphertext to the streaming AES‑256‑GCM API, such as through a compromised communication channel or a malicious firmware component. With AAD empty, the missing GHASH accumulator state permits a modification that goes unchecked by the tag.

Generated by OpenCVE AI on June 24, 2026 at 09:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Caliptra Core Runtime Firmware to a version that includes the patch for this issue, if one is available.
  • Validate that the firmware image corresponds to a fixed release by checking the vendor’s release notes or verification hash.
  • If a patch is not yet available, avoid using the streaming AES‑256‑GCM API with empty AAD; provide non‑empty AAD or handle GHASH state preservation across update calls to mitigate the risk.

Generated by OpenCVE AI on June 24, 2026 at 09:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Caliptra
Caliptra core Runtime Firmware
Vendors & Products Caliptra
Caliptra core Runtime Firmware

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change. This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.
Title AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty
Weaknesses CWE-325
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Caliptra Core Runtime Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: Caliptra

Published:

Updated: 2026-06-24T13:15:03.109Z

Reserved: 2026-04-16T21:11:47.086Z

Link: CVE-2026-6458

cve-icon Vulnrichment

Updated: 2026-06-24T13:14:56.051Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:23Z

Weaknesses
  • CWE-325

    Missing Cryptographic Step