CVE-2026-6458

AES-256-GCM Authentication Tag Does Not Cover First Ciphertext Blocks When AAD Is Empty

Assigner: Caliptra
Reserved: 16.04.2026 Published: 23.06.2026 Updated: 24.06.2026

Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. Ciphertext produced by that call may be modified without the tag reflecting the change.

This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	Low	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Caliptra
Product	Core Runtime Firmware
Versions	Default: unaffected affected from 2.0.0 to 2.0.1 (incl.) Version 2.1.0 is affected Version 2.0.2 is unaffected Version 2.1.1 is unaffected

Vendor

Caliptra

Product

Core Runtime Firmware

Versions

Default: unaffected

affected from 2.0.0 to 2.0.1 (incl.)
Version 2.1.0 is affected
Version 2.0.2 is unaffected
Version 2.1.1 is unaffected

Credits

NVIDIA Offensive Security Research (OSR) team finder

References

Problem Types

CWE-325 Missing Cryptographic Step CWE

Impacts

CAPEC-148 Content Spoofing