CVE-2026-32935 Overview
CVE-2026-32935 is a padding oracle timing attack vulnerability affecting phpseclib, a widely-used PHP secure communications library. Projects using vulnerable versions are susceptible to cryptographic attacks when utilizing AES encryption in CBC (Cipher Block Chaining) mode. This timing-based side-channel attack allows adversaries to decrypt encrypted data by analyzing response time variations during padding validation, potentially exposing sensitive communications.
Critical Impact
Attackers can exploit timing differences in padding validation to decrypt AES-CBC encrypted data without knowing the encryption key, potentially compromising confidential communications and sensitive data protected by phpseclib.
Affected Products
- phpseclib versions 1.0.26 and below
- phpseclib versions 2.0.0 through 2.0.51
- phpseclib versions 3.0.0 through 3.0.49
Discovery Timeline
- 2026-03-20 - CVE-2026-32935 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32935
Vulnerability Analysis
This vulnerability is classified under CWE-208 (Observable Timing Discrepancy), representing a side-channel attack vector in cryptographic implementations. The flaw exists in the AES-CBC decryption routine where padding validation operations exhibit measurable timing differences based on whether the padding is valid or invalid.
In a properly implemented cryptographic system, operations should be constant-time to prevent attackers from inferring information about the plaintext or keys through timing analysis. However, the vulnerable versions of phpseclib process padding validation in a way that creates observable timing discrepancies. An attacker positioned to intercept encrypted traffic and measure server response times can systematically modify ciphertext blocks and observe the timing of error responses to incrementally decrypt the message.
The attack is network-accessible but requires high attack complexity as it demands precise timing measurements and multiple requests to successfully decrypt data. The primary impact is confidentiality loss, as successful exploitation allows unauthorized access to encrypted information.
Root Cause
The root cause lies in non-constant-time padding validation within the AES-CBC decryption implementation. When phpseclib processes PKCS#7 padding during decryption, the validation routine exhibits different execution times depending on the validity and nature of the padding bytes. This timing variance, while often measured in microseconds or milliseconds, provides sufficient information leakage for a determined attacker to mount a successful padding oracle attack over multiple iterations.
Attack Vector
The attack exploits the network-accessible decryption functionality provided by applications using phpseclib. An attacker follows this methodology:
- Intercepts or captures ciphertext encrypted with AES-CBC
- Modifies the last block of ciphertext and submits it to the target application
- Measures the response time with high precision
- Iterates through byte values, observing timing differences that indicate valid vs. invalid padding
- Uses the timing information to deduce the intermediate state and recover plaintext bytes
- Repeats the process block-by-block to decrypt the entire message
The vulnerability does not require authentication and can be exploited without user interaction. The attack complexity is considered high because successful exploitation requires the ability to make multiple requests, measure timing with sufficient precision, and potentially overcome network jitter.
Detection Methods for CVE-2026-32935
Indicators of Compromise
- Unusual patterns of failed decryption attempts from the same source IP
- High volume of requests to endpoints performing AES-CBC decryption
- Requests with systematically modified ciphertext payloads
- Statistical anomalies in decryption error rates from specific clients
Detection Strategies
- Monitor application logs for repeated decryption failures with incrementally modified inputs
- Implement rate limiting on cryptographic operations to detect and slow padding oracle attempts
- Deploy network anomaly detection to identify timing-based attack patterns
- Review dependency manifests for vulnerable phpseclib versions (1.0.26 and below, 2.0.0-2.0.51, 3.0.0-3.0.49)
Monitoring Recommendations
- Enable detailed logging for cryptographic operations including timestamps and error types
- Configure alerting for abnormal decryption failure rates from individual sources
- Implement request timing monitoring to detect systematic probing behavior
- Conduct regular dependency audits using tools like Composer audit to identify vulnerable libraries
How to Mitigate CVE-2026-32935
Immediate Actions Required
- Update phpseclib to patched versions: 1.0.27, 2.0.52, or 3.0.50 immediately
- Audit all PHP applications and dependencies for phpseclib usage
- Review Composer lock files to identify transitive dependencies on vulnerable versions
- Consider switching to authenticated encryption modes (AES-GCM) where possible as a defense-in-depth measure
Patch Information
The phpseclib maintainers have released patched versions that implement constant-time padding validation to eliminate the timing side-channel. The fix is available in:
- Version 1.0.27 for the 1.x branch
- Version 2.0.52 for the 2.x branch
- Version 3.0.50 for the 3.x branch
The security fix can be reviewed in the GitHub Commit for phpseclib. Additional details are available in the GitHub Security Advisory GHSA-94g3-g5v7-q4jg.
Workarounds
- If immediate patching is not possible, consider disabling AES-CBC mode and using alternative encryption modes
- Implement network-level rate limiting on endpoints that perform decryption operations
- Add artificial random delays to decryption responses to obscure timing information (temporary measure only)
- Deploy a Web Application Firewall (WAF) with rules to detect rapid sequential requests with similar payloads
# Update phpseclib via Composer
composer require phpseclib/phpseclib:^3.0.50
# For version 2.x branch
composer require phpseclib/phpseclib:^2.0.52
# For legacy version 1.x branch
composer require phpseclib/phpseclib:^1.0.27
# Verify installed version
composer show phpseclib/phpseclib
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
