Critical Info Disclosure Vulnerability in phpseclib for Fedora 42 and 43

Severity: High (Score: 72.8)

Sources: Linuxsecurity

Summary

A critical information disclosure vulnerability (CVE-2026-32935) was identified in the phpseclib library, affecting Fedora 42 and 43. The vulnerability allows attackers to exploit a padding oracle timing attack when using AES in CBC mode, potentially disclosing sensitive information. The issue was published on 2026-03-20 and has been addressed in updates for both Fedora versions. Fedora 43 has been updated to version 3.0.50, while Fedora 42 has been updated to version 2.0.52 to mitigate the risk. Users are advised to apply the updates immediately to protect against potential exploitation. The updates can be installed using the 'dnf' package manager. The vulnerability impacts systems utilizing the affected versions of phpseclib, which is widely used for cryptographic operations in PHP applications. Failure to update may leave systems vulnerable to attacks that exploit this flaw. Key Points: • CVE-2026-32935 allows information disclosure via padding oracle timing attacks. • Affected systems include Fedora 42 and 43 using phpseclib library. • Updates to phpseclib versions 2.0.52 and 3.0.50 are available to mitigate the risk.

Key Entities

• Data Breach (attack_type)
• CVE-2026-32935 (cve)
• Fedora (company)
• Padding Oracle Timing Attack (vulnerability)