CVE-2020-26263 in tlslite-ng
Summary
by MITRE • 12/21/2020
tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code has multiple ways in which it leaks information about the decrypted ciphertext. It aborts as soon as the plaintext doesn't start with 0x00, 0x02. All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable. This is patched in versions 0.7.6 and 0.8.0-alpha39. Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not the case (see reference). As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/26/2026
The tlslite-ng library presents a critical side-channel vulnerability in its RSA PKCS#1 v1.5 decryption implementation that affects versions prior to 0.7.6 and 0.8.0-alpha39. This vulnerability stems from data-dependent execution patterns during the decryption process, specifically in how the library handles padding validation checks. The flaw manifests when the decryption code performs multiple conditional checks that vary based on the decrypted ciphertext values, creating observable timing differences that can be exploited by attackers to infer information about the plaintext. The implementation aborts immediately upon detecting that the plaintext does not begin with the expected byte values of 0x00 or 0x02, which are required for valid PKCS#1 v1.5 padding. This early termination creates a timing channel that leak information about the decryption results, making the vulnerability particularly dangerous in cryptographic contexts where such side-channel attacks are well-documented.
The technical nature of this vulnerability aligns with CWE-203, which describes "Observable Behavioral Vulnerability" and specifically relates to information leaks through timing differences or other observable behaviors. The flaw represents a classic example of a timing side-channel attack where the execution path taken during decryption varies based on the input data, allowing attackers to perform statistical analysis and eventually recover the private key or sensitive information. This vulnerability affects all TLS servers utilizing RSA key exchange mechanisms as well as applications directly employing the RSA decryption API, creating a wide attack surface. The issue is particularly concerning because PKCS#1 v1.5 padding verification is a fundamental component of many cryptographic protocols, and the timing variations in the implementation create predictable patterns that can be exploited through sophisticated attack techniques.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can lead to complete private key recovery in certain scenarios. Attackers with sufficient access to observe timing variations can perform adaptive chosen-ciphertext attacks, potentially compromising the security of entire TLS implementations that rely on this library. The vulnerability affects not just the TLS server functionality but also any application that directly uses the RSA decryption functionality provided by tlslite-ng, creating a broad security risk across multiple systems. Organizations using vulnerable versions face potential exposure to man-in-the-middle attacks, credential compromise, and overall TLS security degradation that could affect sensitive communications and data protection mechanisms. The security implications are compounded by the fact that this vulnerability exists in widely-used cryptographic libraries that form the foundation of many network security implementations.
Mitigation strategies for this vulnerability require immediate version upgrades to 0.7.6 or 0.8.0-alpha39, as these releases contain the necessary code changes to address the timing variations in the decryption process. However, users must understand that even the patched versions may not provide complete side-channel resistance due to Python's handling of individual bytes, which does not guarantee side-channel free execution. Organizations should consider implementing additional security measures such as using alternative TLS implementations that provide stronger side-channel resistance, implementing additional monitoring for timing variations, and potentially migrating to more modern cryptographic protocols that do not rely on vulnerable padding schemes like PKCS#1 v1.5. The library's security policy explicitly recommends against using these versions for applications requiring side-channel resistance, emphasizing the need for organizations to evaluate their specific security requirements and potentially adopt different cryptographic libraries that provide stronger guarantees against such attacks. This vulnerability demonstrates the critical importance of side-channel resistance in cryptographic implementations and highlights the challenges in achieving truly secure implementations in high-level languages like Python.