CVE Vulnerabilities

CVE-2026-43514

Observable Timing Discrepancy

Published: May 12, 2026 | Modified: May 14, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
3.7 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Weakness

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Affected Software

NameVendorStart VersionEnd Version
TomcatApache7.0.0 (including)7.0.109 (including)
TomcatApache8.5.0 (including)8.5.100 (including)
TomcatApache9.0.0 (including)9.0.118 (excluding)
TomcatApache10.1.0 (including)10.1.55 (excluding)
TomcatApache11.0.0 (including)11.0.22 (excluding)
Red Hat Hardened ImagesRedHattomcat11-main-11.0.22-0.1.hum1*
Red Hat Hardened ImagesRedHattomcat10-main-10.1.55-1.hum1*
Tomcat10Ubuntudevel*
Tomcat10Ubuntuesm-apps/noble*
Tomcat10Ubuntuesm-apps/resolute*
Tomcat10Ubuntunoble*
Tomcat10Ubuntuquesting*
Tomcat10Ubunturesolute*
Tomcat10Ubuntuupstream*
Tomcat11Ubuntuesm-apps/resolute*
Tomcat11Ubuntuquesting*
Tomcat11Ubunturesolute*
Tomcat11Ubuntuupstream*
Tomcat6Ubuntuesm-infra-legacy/trusty*
Tomcat6Ubuntuupstream*
Tomcat7Ubuntuesm-apps-legacy/xenial*
Tomcat7Ubuntuesm-infra-legacy/trusty*
Tomcat7Ubuntuupstream*
Tomcat8Ubuntuesm-apps/bionic*
Tomcat8Ubuntuupstream*
Tomcat9Ubuntuesm-apps/bionic*
Tomcat9Ubuntuesm-apps/focal*
Tomcat9Ubuntuesm-apps/jammy*
Tomcat9Ubuntuesm-apps/noble*
Tomcat9Ubuntuesm-apps/resolute*
Tomcat9Ubuntujammy*
Tomcat9Ubuntunoble*
Tomcat9Ubuntuquesting*
Tomcat9Ubunturesolute*
Tomcat9Ubuntuupstream*

References