GHSA-5hpf-pc4x-3jcf
A vulnerability in the EVP_DigestVerifyFinal function allows acceptance of a zero-length HMAC tag as valid during verification. This occurs because the OpenSSL-compatible HMAC verification path only checked that the supplied signature length did not exceed the MAC length, permitting zero-length or truncated tags to pass. The issue is addressed by requiring the supplied tag length to exactly match the MAC length, rejecting zero-length tags and preventing forged short or empty tags from being accepted.
AI Analysis
Technical Summary
CVE-2026-6331 describes a weakness in the EVP_DigestVerifyFinal function's HMAC verification process. The vulnerability arises because the verification logic only ensured the signature length was not greater than the MAC length, allowing zero-length or truncated tags to be accepted as valid. This could enable an attacker to forge a zero-length HMAC tag that passes verification. The fix enforces that the supplied tag length must exactly equal the MAC length and disallows zero-length MACs, thereby preventing acceptance of forged short or empty tags.
Potential Impact
The vulnerability could allow an attacker to bypass HMAC verification by presenting a zero-length or truncated tag that is incorrectly accepted as valid. This undermines the integrity verification provided by HMAC, potentially allowing unauthorized data to be accepted as authentic. However, the severity is rated low, indicating limited impact or exploitability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix involves enforcing exact tag length matching and rejecting zero-length tags in the HMAC verification process. Until an official fix is available, users should monitor vendor communications for updates.
GHSA-5hpf-pc4x-3jcf
Description
A vulnerability in the EVP_DigestVerifyFinal function allows acceptance of a zero-length HMAC tag as valid during verification. This occurs because the OpenSSL-compatible HMAC verification path only checked that the supplied signature length did not exceed the MAC length, permitting zero-length or truncated tags to pass. The issue is addressed by requiring the supplied tag length to exactly match the MAC length, rejecting zero-length tags and preventing forged short or empty tags from being accepted.
CVSS v4.0
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6331 describes a weakness in the EVP_DigestVerifyFinal function's HMAC verification process. The vulnerability arises because the verification logic only ensured the signature length was not greater than the MAC length, allowing zero-length or truncated tags to be accepted as valid. This could enable an attacker to forge a zero-length HMAC tag that passes verification. The fix enforces that the supplied tag length must exactly equal the MAC length and disallows zero-length MACs, thereby preventing acceptance of forged short or empty tags.
Potential Impact
The vulnerability could allow an attacker to bypass HMAC verification by presenting a zero-length or truncated tag that is incorrectly accepted as valid. This undermines the integrity verification provided by HMAC, potentially allowing unauthorized data to be accepted as authentic. However, the severity is rated low, indicating limited impact or exploitability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix involves enforcing exact tag length matching and rejecting zero-length tags in the HMAC verification process. Until an official fix is available, users should monitor vendor communications for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-5hpf-pc4x-3jcf
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-6331"]
- Ecosystems
- []
- Database Specific Severity
- LOW
- Cvss Version
- 4.0
Threat ID: 6a3ef7d127e9c79719002b47
Added to database: 06/26/2026, 22:06:09 UTC
Last enriched: 06/26/2026, 22:38:21 UTC
Last updated: 06/27/2026, 00:31:19 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.