VYPR
← All advisories
High severityNVD Advisory· Published Jul 30, 2018· Updated Aug 5, 2024

CVE-2018-10903

CVE-2018-10903

Description

A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

python-cryptography GCM tag forgery vulnerability via truncated tag in finalize_with_tag allows 1/256 chance of MAC bypass and key leakage.

Vulnerability

A flaw in python-cryptography versions between >=1.9.0 and <2.3 allows an attacker to perform a GCM tag forgery. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag, an attacker could craft an invalid payload with a shortened tag (e.g., 1 byte) such that they would have a 1 in 256 chance of passing the MAC check [1][2].

Exploitation

An attacker needs to be able to deliver a crafted ciphertext with a truncated authentication tag to a vulnerable application. No prior authentication or special privilege is required, but the application must use the finalize_with_tag method with a user-controlled tag without validating its length. The attacker can repeatedly attempt forged tags; each attempt has a 1/256 probability of success for a 1-byte tag [1].

Impact

Successful tag forgery defeats the integrity check of the GCM mode, allowing the attacker to decrypt the ciphertext (information disclosure). Additionally, GCM tag forgeries can cause key leakage, potentially compromising the entire encryption key and all data protected by it [1][3].

Mitigation

The fix was released in python-cryptography version 2.3 [1]. The commit at [4] enforces a minimum tag length (the min_tag_length parameter) in the GCM constructor and raises a ValueError in finalize_with_tag if the provided tag is shorter than this minimum [4]. Red Hat provided updated packages for Red Hat OpenStack Platform 13 (RHSA-2018:3600) on 2018-11-13 [3]. Users should upgrade to version 2.3 or later. If upgrading is not possible, applications must validate tag length before calling finalize_with_tag.

References
  1. NVD - CVE-2018-10903
  2. CVE-2018-10903 - GitHub Advisory Database
  3. https://access.redhat.com/errata/RHSA-2018:3600
  4. disallow implicit tag truncation with finalize_with_tag (#4342) · pyca/cryptography@d4378e4

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cryptographyPyPI
>= 1.9.0, < 2.32.3

Affected products

70

Patches

1
d4378e42937b

disallow implicit tag truncation with finalize_with_tag (#4342)

https://github.com/pyca/cryptographyPaul KehrerJul 17, 2018via ghsa
commit
5 files changed · +28 0
  • CHANGELOG.rst+5 0 modified
    @@ -8,6 +8,11 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* **SECURITY ISSUE:**
+  :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`
+  allowed tag truncation by default which can allow tag forgery in some cases.
+  The method now enforces the ``min_tag_length`` provided to the
+  :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor.
 * Added support for Python 3.7.
 * Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the
   authenticated timestamp of a :doc:`Fernet </fernet>` token.
  • docs/hazmat/primitives/symmetric-encryption.rst+1 0 modified
    @@ -670,6 +670,7 @@ Interfaces
         :raises ValueError: This is raised when the data provided isn't
             a multiple of the algorithm's block size, if ``min_tag_length`` is
             less than 4, or if ``len(tag) < min_tag_length``.
+            ``min_tag_length`` is an argument to the ``GCM`` constructor.
         :raises NotImplementedError: This is raised if the version of the
             OpenSSL backend used is 1.0.1 or earlier.
  • src/cryptography/hazmat/backends/openssl/ciphers.py+5 0 modified
    @@ -199,6 +199,11 @@ def finalize_with_tag(self, tag):
                 "finalize_with_tag requires OpenSSL >= 1.0.2. To use this "
                 "method please update OpenSSL"
             )
+        if len(tag) < self._mode._min_tag_length:
+            raise ValueError(
+                "Authentication tag must be {0} bytes or longer.".format(
+                    self._mode._min_tag_length)
+            )
         res = self._backend._lib.EVP_CIPHER_CTX_ctrl(
             self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG,
             len(tag), tag
  • src/cryptography/hazmat/primitives/ciphers/modes.py+1 0 modified
    @@ -220,6 +220,7 @@ def __init__(self, initialization_vector, tag=None, min_tag_length=16):
                         min_tag_length)
                 )
         self._tag = tag
+        self._min_tag_length = min_tag_length
 
     tag = utils.read_only_property("_tag")
     initialization_vector = utils.read_only_property("_initialization_vector")
  • tests/hazmat/primitives/test_aes.py+16 0 modified
    @@ -439,3 +439,19 @@ def test_gcm_tag_decrypt_finalize(self, backend):
             decryptor.finalize()
         else:
             decryptor.finalize_with_tag(tag)
+
+    @pytest.mark.supported(
+        only_if=lambda backend: (
+            not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 or
+            backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
+        ),
+        skip_message="Not supported on OpenSSL 1.0.1",
+    )
+    def test_gcm_tag_decrypt_finalize_tag_length(self, backend):
+        decryptor = base.Cipher(
+            algorithms.AES(b"0" * 16),
+            modes.GCM(b"0" * 12),
+            backend=backend
+        ).decryptor()
+        with pytest.raises(ValueError):
+            decryptor.finalize_with_tag(b"tagtooshort")

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.