CVE-2023-26084

low-risk
Published 2023-03-15

The armv8_dec_aes_gcm_full() API of Arm AArch64cryptolib before 86065c6 fails to the verify the authentication tag of AES-GCM protected data, leading to a man-in-the-middle attack. This occurs because of an improperly initialized variable.

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (1)

Aarch64Cryptolib

Affected Vendors

Arm

References (2)

Patch https://github.com/ARM-software/AArch64cryptolib/security/advisories/GHSA-47c6-7...
Patch https://github.com/ARM-software/AArch64cryptolib/security/advisories/GHSA-47c6-7...
19
/ 100
low-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal