Vulnerability in Caliptra Core Runtime Firmware
CVE-2026-6458
Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved a…
EPSS: 0.001 (2.8th percentile) — read the EPSS interpretation.
Affected products
- Caliptra Core Runtime Firmware — versions 2.0.0, 2.1.0, 2.0.2