LOWCVE-2026-40194CVSS 3.7

CVE-2026-40194: Variable-Time HMAC in phpseclib SSH2

Q: What is CVE-2026-40194 — Variable-Time HMAC in phpseclib SSH2?

CVE-2026-40194 is a LOW severity vulnerability in phpseclib SSH2 affecting versions 0.1.1–>= 3.0.0, < 3.0.51, where a variable-time comparison in HMAC verification can leak information.

Q: Am I affected by CVE-2026-40194 in phpseclib SSH2?

You are affected if your application uses phpseclib SSH2 version 0.1.1–>= 3.0.0, < 3.0.51. Check your composer.json or application dependencies to confirm.

Q: How do I fix CVE-2026-40194 in phpseclib SSH2?

Upgrade to phpseclib SSH2 version 3.0.51 or later. This resolves the variable-time comparison issue.

Q: Is CVE-2026-40194 being actively exploited?

There are currently no reports of active exploitation of CVE-2026-40194, but it's crucial to apply the patch proactively.

Q: Where can I find the official phpseclib advisory for CVE-2026-40194?

Refer to the phpseclib project's security advisories on their GitHub repository: https://github.com/phpseclib/phpseclib

Platform

php

Component

phpseclib

Fixed in

1.0.28

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-40194 affects phpseclib SSH2, a PHP library for SSH2 functionality. This vulnerability stems from a variable-time comparison during HMAC verification within the getbinarypacket() function, potentially leading to timing attacks. Affected versions include 0.1.1–>= 3.0.0, < 3.0.51. The vulnerability is mitigated by upgrading to version 3.0.51.

Impact and Attack Scenarios

The vulnerability lies in the use of PHP's != operator for comparing HMACs, which, despite utilizing memcmp() for equal-length binary strings, still exhibits variable-time behavior. While memcmp() short-circuits on the first differing byte, the timing difference can still be exploited to leak information about the HMAC key. Although the severity is rated LOW, successful exploitation could allow an attacker to gain insights into the SSH key, potentially enabling further attacks. The inherent security mechanisms of SSH, specifically its disconnect-on-MAC-failure behavior, significantly limit the practical exploitation of this vulnerability over the network.

Exploitation Context

CVE-2026-40194 has a LOW CVSS score and is considered a defense-in-depth concern. There are currently no publicly available proof-of-concept exploits. The vulnerability was published on 2026-04-10. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.01% (2% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentphpseclib

Vendorphpseclib

Affected rangeFixed in

>= 0.1.1, < 1.0.28 – >= 0.1.1, < 1.0.28—

>= 2.0.0, < 2.0.53 – >= 2.0.0, < 2.0.53—

>= 3.0.0, < 3.0.51 – >= 3.0.0, < 3.0.51—

0.1.11.0.28

Weakness Classification (CWE)

CWE-208

Timeline

Reserved2026-04-09
Published2026-04-10
Modified2026-05-08
EPSS updated2026-04-18

Mitigation and Workarounds

The primary mitigation for CVE-2026-40194 is to upgrade to phpseclib SSH2 version 3.0.51 or later. This version contains a fix that eliminates the variable-time comparison. If upgrading is not immediately feasible, consider implementing defense-in-depth measures. While SSH's built-in MAC failure handling provides some protection, it's not a substitute for patching. There are no known WAF or proxy rules that can directly address this vulnerability. Monitor SSH logs for unusual connection patterns or disconnections.

How to fix

Update the phpseclib library to version 3.0.51, 2.0.53, or 1.0.28 to mitigate the vulnerability. The update replaces the insecure comparison with the != operator with the hash_equals() function, which provides a secure binary string comparison.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-40194 — Variable-Time HMAC in phpseclib SSH2?

CVE-2026-40194 is a LOW severity vulnerability in phpseclib SSH2 affecting versions 0.1.1–>= 3.0.0, < 3.0.51, where a variable-time comparison in HMAC verification can leak information.

Am I affected by CVE-2026-40194 in phpseclib SSH2?

You are affected if your application uses phpseclib SSH2 version 0.1.1–>= 3.0.0, < 3.0.51. Check your composer.json or application dependencies to confirm.

How do I fix CVE-2026-40194 in phpseclib SSH2?

Upgrade to phpseclib SSH2 version 3.0.51 or later. This resolves the variable-time comparison issue.

Is CVE-2026-40194 being actively exploited?

There are currently no reports of active exploitation of CVE-2026-40194, but it's crucial to apply the patch proactively.

Where can I find the official phpseclib advisory for CVE-2026-40194?

Refer to the phpseclib project's security advisories on their GitHub repository: https://github.com/phpseclib/phpseclib

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: None — no availability impact. Service remains fully operational.