Fluid Attacks Database

Description

phpseclib is a PHP secure communications library. Starting in 0.1.1 and prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp(), which short-circuits on the first differing byte. This is a real variable-time comparison (CWE-208), proven by scaling benchmarks. This vulnerability is fixed in 3.0.51, 2.0.53, and 1.0.28.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpseclib/phpseclib	>=0.1.1 <1.0.28 \|\| >=2.0.0 <2.0.53 \|\| >=3.0.0 <3.0.51	1.0.28, 2.0.53, 3.0.51
debian 11	php-phpseclib	=2.0.30-2 \|\| =2.0.30-2+deb11u1 \|\| =2.0.30-2+deb11u2 \|\| =2.0.31-1 \|\| =2.0.32-1 \|\| =2.0.33-1 \|\| =2.0.34-1 \|\| =2.0.35-1 \|\| =2.0.36-1 \|\| =2.0.37-1 \|\| =2.0.38-1 \|\| =2.0.38-2 \|\| =2.0.38-3 \|\| =2.0.38-4 \|\| =2.0.39-1 \|\| =2.0.40-1 \|\| =2.0.41-1 \|\| =2.0.42-1 \|\| =2.0.44-1 \|\| =2.0.45-1 \|\| =2.0.46-1 \|\| =2.0.47-1 \|\| =2.0.47-2 \|\| =2.0.47-3 \|\| =2.0.48-1 \|\| =2.0.48-2 \|\| =2.0.48-3 \|\| =2.0.49-1 \|\| =2.0.50-1 \|\| =2.0.51-1 \|\| =2.0.52-1 \|\| =2.0.53-1 \|\| =2.0.54-1 \|\| =3.0.2-1	-
debian 12	php-phpseclib	=2.0.42-1 \|\| =2.0.42-1+deb12u1 \|\| =2.0.42-1+deb12u2 \|\| =2.0.42-1+deb12u3 \|\| >=0 <2.0.42-1+deb12u4	2.0.42-1+deb12u4
debian 13	php-phpseclib3	=3.0.43-2 \|\| =3.0.43-2+deb13u1 \|\| >=0 <3.0.43-2+deb13u2	3.0.43-2+deb13u2
debian 13	php-phpseclib	=2.0.48-3 \|\| =2.0.48-3+deb13u1 \|\| >=0 <2.0.48-3+deb13u2	2.0.48-3+deb13u2
debian 12	php-phpseclib3	=3.0.19-1 \|\| =3.0.19-1+deb12u1 \|\| =3.0.19-1+deb12u2 \|\| =3.0.19-1+deb12u3 \|\| =3.0.19-1+deb12u4 \|\| >=0 <3.0.19-1+deb12u5	3.0.19-1+deb12u5
debian 11	phpseclib	=1.0.19-3 \|\| =1.0.19-3+deb11u1 \|\| =1.0.19-3+deb11u2 \|\| =1.0.19-3+deb11u3 \|\| =1.0.20-1 \|\| =1.0.21-1 \|\| =1.0.21-2 \|\| =1.0.22-1 \|\| =1.0.23-1 \|\| =1.0.23-2 \|\| =1.0.23-3 \|\| =1.0.23-4 \|\| =1.0.23-5 \|\| =1.0.23-6 \|\| =1.0.24-1 \|\| =1.0.27-1 \|\| =1.0.28-1 \|\| =1.0.29-1 \|\| =2.0.0-1 \|\| =2.0.1-1	-
debian 12	phpseclib	=1.0.20-1 \|\| =1.0.20-1+deb12u1 \|\| =1.0.20-1+deb12u2 \|\| =1.0.20-1+deb12u3 \|\| >=0 <1.0.20-1+deb12u4	1.0.20-1+deb12u4
debian 13	phpseclib	=1.0.23-6 \|\| =1.0.23-6+deb13u1 \|\| >=0 <1.0.23-6+deb13u2	1.0.23-6+deb13u2
debian 14	php-phpseclib	=2.0.48-3 \|\| =2.0.49-1 \|\| =2.0.50-1 \|\| =2.0.51-1 \|\| =2.0.52-1 \|\| >=0 <2.0.53-1	2.0.53-1

1-10 of 11

Aliases

1. CVE-2026-401942. NVD-2026-401943. OSV-2026-401944. OSV-DEBIAN-2026-401945. GHSA-r854-jrxh-36qx6. GCVE-2026-401947. SECURITY-TRACKER-CVE-2026-40194

References

1. https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx2. https://github.com/phpseclib/phpseclib/commit/ffe48b6b1b1af6963327f0a5330e3aa004a194ac3. https://github.com/phpseclib/phpseclib/releases/tag/1.0.284. https://github.com/phpseclib/phpseclib/releases/tag/2.0.535. https://github.com/phpseclib/phpseclib/releases/tag/3.0.51