🟠High  | Source: Microsoft Security Response Center
CVE-2026-45446 is a vulnerability affecting AES-GCM-SIV and AES-SIV encryption modes, where empty messages are processed with incorrect authentication tags. This flaw could allow an attacker to bypass integrity checks on empty ciphertexts, potentially enabling undetected data tampering or forgery in systems relying on these encryption schemes.
Security Architect’s Take: Audit any Azure services or application code that uses AES-GCM-SIV or AES-SIV encryption, particularly where empty message handling is a possibility — apply Microsoft’s recommended patches or mitigations promptly and review cryptographic library dependencies for affected versions.
Original advisory: CVE-2026-45446 Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes