CryptX versions prior to 0.088_001 for Perl perform tag verification in the streaming decrypt_done path using a memNE (memcmp() != 0) comparison that short-circuits on the first differing byte, resulting in timing discrepancies. This timing side-channel affects all five AEAD modes supported by CryptX (GCM, CCM, ChaCha20Poly1305, EAX, and OCB). An attacker able to submit multiple candidate tags for the same nonce, ciphertext, and associated data, and measure the timing precisely, can exploit this to recover the correct authentication tag byte-by-byte, enabling forgery of authenticated messages. The vulnerability does not affect the one-shot *_decrypt_verify helpers, which perform constant-time tag verification inside libtomcrypt. No vendor advisory or patch information is currently available.

The vulnerability enables a tag-verification oracle via timing side-channels in the streaming decrypt_done function, potentially allowing an attacker to forge authenticated messages by recovering the expected authentication tag byte-by-byte. This compromises the integrity guarantees of AEAD encryption modes in affected CryptX versions. The one-shot verification functions remain secure. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid using the streaming decrypt_done($tag) function for AEAD tag verification in CryptX versions before 0.088_001. Prefer using the one-shot *_decrypt_verify helpers which perform constant-time verification. Monitor vendor channels for updates and patches.