Ghostwire

CVE-2026-40194: phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()

LOW CVSS 3.7 EPSS 0.01% Exploit Available 2 PoC

Published: April 10, 2026 | Last Modified: April 10, 2026

Description

phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()

Ghostwire Analysis — What This Means Practically

Exploitation Probability (EPSS): Low — 0.01% (1th percentile)

Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.

2 proof-of-concept exploits available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Proof-of-Concept Exploits (2)

phpseclib/phpseclib
phpseclib/phpseclib

Security Coverage (1 articles)

References

github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx
github.com/phpseclib/phpseclib/commit/ffe48b6b1b1af6963327f0a5330e3aa004a194ac
github.com/phpseclib/phpseclib/releases/tag/1.0.28
github.com/phpseclib/phpseclib/releases/tag/2.0.53
github.com/phpseclib/phpseclib/releases/tag/3.0.51
nvd.nist.gov/vuln/detail/CVE-2026-40194
github.com/advisories/GHSA-r854-jrxh-36qx
www.tenable.com/cve/CVE-2026-40194
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-40194