PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6458 Caliptra CVE debrief

A medium severity vulnerability, CVE-2026-6458, was found in Caliptra Core Firmware. The issue arises from a missing cryptographic step in the aes_256_gcm_update module, resulting in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the final tag to exclude the first batch of processed ciphertext. This vulnerability affects Core Runtime Firmware versions from 2.0.0 through 2.0.1 and 2.1.0. The CVSS score for this vulnerability is 5.1, indicating a medium severity level. The vulnerability was published on June 24, 2026, and last modified on June 25, 2026.

Vendor
Caliptra
Product
Core Runtime Firmware
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-06-25
Advisory published
2026-06-24
Advisory updated
2026-06-25

Who should care

Organizations using Caliptra Core Firmware versions 2.0.0 through 2.0.1 and 2.1.0 should be aware of this vulnerability and take necessary actions to mitigate the risk. This vulnerability could potentially allow attackers to modify ciphertext without the tag reflecting the change, leading to security issues. It is essential for defenders to assess their inventory and prioritize patching or applying compensating controls.

Technical summary

The vulnerability is caused by a missing cryptographic step in the aes_256_gcm_update module of Caliptra Core Firmware. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call. This results in the final tag excluding the first batch of processed ciphertext. An attacker could potentially exploit this vulnerability by modifying the ciphertext without the tag reflecting the change. The affected firmware versions are 2.0.0 through 2.0.1 and 2.1.0. The CVSS score for this vulnerability is 5.1, indicating a medium severity level.

Defensive priority

Defenders should prioritize patching or applying compensating controls for Caliptra Core Firmware versions 2.0.0 through 2.0.1 and 2.1.0. It is essential to assess the inventory and monitor for potential security issues related to this vulnerability.

Recommended defensive actions

  • Assess inventory for affected Caliptra Core Firmware versions 2.0.0 through 2.0.1 and 2.1.0.
  • Prioritize patching or applying compensating controls for vulnerable firmware versions.
  • Monitor for potential security issues related to this vulnerability.
  • Review and update incident response plans to address potential exploitation.
  • Verify the integrity of ciphertext and authentication tags in the affected firmware.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its severity, and affected firmware versions. The source item URL provides additional context on the vulnerability and its impact. The reference URL from GitHub provides further details on the vulnerability and potential mitigations.

Official resources

This article is AI-assisted and based on the supplied source corpus.