CWE-208
Observable Timing Discrepancy
Description
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-462 · CAPEC-541 · CAPEC-580
CVEs mapped to this weakness (121)
page 1 of 7| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-7036 | Cri | 0.57 | 9.8 | 0.02 | Jan 23, 2017 | python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys. | ||
| CVE-2026-41588 | Cri | 0.52 | 9.0 | 0.00 | May 8, 2026 | RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16. | ||
| CVE-2026-40972 | Hig | 0.49 | 7.5 | 0.00 | Apr 28, 2026 | An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving… | ||
| CVE-2026-5086 | Hig | 0.49 | 7.5 | 0.00 | Apr 13, 2026 | Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password. | ||
| CVE-2025-70949 | Hig | 0.49 | 7.5 | 0.00 | Mar 5, 2026 | An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel. | ||
| CVE-2023-50781 | Hig | 0.49 | 7.5 | 0.01 | Feb 5, 2024 | A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. | ||
| CVE-2025-53940 | Hig | 0.48 | — | 0.03 | Jul 24, 2025 | Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time… | ||
| CVE-2026-47784 | Hig | 0.46 | 8.1 | 0.01 | May 20, 2026 | In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass. | ||
| CVE-2026-47783 | Hig | 0.46 | 8.1 | 0.01 | May 20, 2026 | In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass. | ||
| CVE-2026-42602 | Hig | 0.46 | 8.1 | 0.00 | May 13, 2026 | azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate… | ||
| CVE-2026-47373 | Hig | 0.42 | 7.5 | 0.00 | May 20, 2026 | Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash. | ||
| CVE-2025-20067 | Med | 0.39 | 6.0 | 0.00 | Aug 12, 2025 | Observable timing discrepancy in firmware for some Intel(R) CSME and Intel(R) SPS may allow a privileged user to potentially enable information disclosure via local access. | ||
| CVE-2026-54411 | Med | 0.38 | 5.9 | 0.00 | Jun 14, 2026 | Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling… | ||
| CVE-2017-20240 | — | Med | 0.38 | 5.9 | 0.00 | Jun 12, 2026 | Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key. | |
| CVE-2026-44368 | Med | 0.38 | — | 0.00 | May 13, 2026 | PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can… | ||
| CVE-2025-7383 | Med | 0.38 | — | 0.00 | Aug 29, 2025 | Padding oracle attack vulnerability in Oberon microsystem AG’s Oberon PSA Crypto library in all versions since 1.0.0 and prior to 1.5.1 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations. | ||
| CVE-2025-7071 | Med | 0.38 | — | 0.00 | Aug 29, 2025 | Padding oracle attack vulnerability in Oberon microsystem AG’s ocrypto library in all versions since 3.1.0 and prior to 3.9.2 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations. | ||
| CVE-2025-48995 | Med | 0.38 | — | 0.00 | Jun 2, 2025 | SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are… | ||
| CVE-2025-29780 | Med | 0.38 | — | 0.00 | Mar 14, 2025 | Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. In versions 0.8.0b2 and prior, the `feldman_vss` library contains timing side-channel vulnerabilities in its matrix operations,… | ||
| CVE-2024-31074 | Med | 0.38 | 5.9 | 0.01 | Nov 13, 2024 | Observable timing discrepancy in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access. |
- risk 0.57cvss 9.8epss 0.02
python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.
- risk 0.52cvss 9.0epss 0.00
RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.
- risk 0.49cvss 7.5epss 0.00
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving…
- risk 0.49cvss 7.5epss 0.00
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.
- risk 0.49cvss 7.5epss 0.00
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.
- risk 0.49cvss 7.5epss 0.01
A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
- risk 0.48cvss —epss 0.03
Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time…
- risk 0.46cvss 8.1epss 0.01
In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.
- risk 0.46cvss 8.1epss 0.01
In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.
- risk 0.46cvss 8.1epss 0.00
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate…
- risk 0.42cvss 7.5epss 0.00
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash.
- risk 0.39cvss 6.0epss 0.00
Observable timing discrepancy in firmware for some Intel(R) CSME and Intel(R) SPS may allow a privileged user to potentially enable information disclosure via local access.
- risk 0.38cvss 5.9epss 0.00
Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling…
- risk 0.38cvss 5.9epss 0.00
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key.
- risk 0.38cvss —epss 0.00
PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can…
- risk 0.38cvss —epss 0.00
Padding oracle attack vulnerability in Oberon microsystem AG’s Oberon PSA Crypto library in all versions since 1.0.0 and prior to 1.5.1 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations.
- risk 0.38cvss —epss 0.00
Padding oracle attack vulnerability in Oberon microsystem AG’s ocrypto library in all versions since 3.1.0 and prior to 3.9.2 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations.
- risk 0.38cvss —epss 0.00
SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are…
- risk 0.38cvss —epss 0.00
Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. In versions 0.8.0b2 and prior, the `feldman_vss` library contains timing side-channel vulnerabilities in its matrix operations,…
- risk 0.38cvss 5.9epss 0.01
Observable timing discrepancy in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access.