Key Information CVE ID: CVE-2025-7071 Title: Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in ocrypto Severity: medium Short Description A padding oracle attack vulnerability exists in Oberon microsystem AG's ocrypto library in all versions from 3.1.0 up to but not including 3.9.2. This allows an attacker to recover plaintexts by measuring timing differences during AES-CBC PKCS#7 decryption operations. Vulnerability ocrypto is vulnerable to a timing side-channel attack due to its non-constant-time implementation of PKCS#7 padding removal. Specifically, the AES-CBC decryption code (function in file ) exhibits timing differences between cases where no padding error occurs and where a padding error occurs. An attacker capable of sending thousands of ciphertexts as probes can exploit these timing differences to first determine the length of the actual message, and then recover its contents byte by byte. All clients using AES-CBC with PKCS#7 padding are affected. Impact Complete recovery of plaintext data. Affected Versions The vulnerability affects all versions of ocrypto from 3.1.0 to 3.9.1, inclusive. Resolution As a partial mitigation, the code was updated to be constant-time in release 3.9.2. Affected clients should upgrade to this version. A complete mitigation is beyond the scope of ocrypto and requires clients to validate the integrity of decrypted messages using application-specific, constant-time methods.