ARM AArch64cryptolib Authentication Tag armv8_dec_aes_gcm_full initialized channel accessible
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.6 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in ARM AArch64cryptolib. The affected element is the function armv8_dec_aes_gcm_full of the component Authentication Tag Handler. Performing a manipulation of the argument initialized results in channel accessible.
This vulnerability is cataloged as CVE-2023-26084. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to apply a patch to fix this issue.
Details
A vulnerability classified as problematic has been found in ARM AArch64cryptolib (affected version unknown). This affects the function armv8_dec_aes_gcm_full of the component Authentication Tag Handler. The manipulation of the argument initialized with an unknown input leads to a channel accessible vulnerability. CWE is classifying the issue as CWE-300. The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. This is going to have an impact on confidentiality. The summary by CVE is:
The armv8_dec_aes_gcm_full() API of Arm AArch64cryptolib before 86065c6 fails to the verify the authentication tag of AES-GCM protected data, leading to a man-in-the-middle attack. This occurs because of an improperly initialized variable.
The weakness was shared 03/15/2023 as GHSA-47c6-7x5x-r74g. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2023-26084 since 02/20/2023. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1557 according to MITRE ATT&CK.
Applying the patch 86065c6 is able to eliminate this problem.
The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2023-29958). Be aware that VulDB is the high quality source for vulnerability data.
Product
Vendor
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.7VulDB Meta Temp Score: 3.7
VulDB Base Score: 3.7
VulDB Temp Score: 3.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 3.7
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Channel accessibleCWE: CWE-300
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: 86065c6
Timeline
02/20/2023 🔍03/15/2023 🔍
03/15/2023 🔍
11/04/2025 🔍
Sources
Advisory: GHSA-47c6-7x5x-r74gStatus: Confirmed
CVE: CVE-2023-26084 (🔍)
GCVE (CVE): GCVE-0-2023-26084
GCVE (VulDB): GCVE-100-223119
EUVD: 🔍
Entry
Created: 03/15/2023 16:00Updated: 11/04/2025 16:31
Changes: 03/15/2023 16:00 (41), 04/08/2023 09:41 (9), 11/04/2025 16:31 (16)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.