Base weakness
Incomplete
Log in
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Last updated
In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.
125 recorded CVEs are caused by CWE-208 (Observable Timing Discrepancy). The highest-severity and most recent are shown first. 44 new CWE-208 CVEs have been recorded so far in 2026 (23 in 2025).
Apache Doris: Timing Attack weakness
RELATE: Timing Attack Vulnerability in course/auth.py — check_sign_in_key()
RustCrypto cmov: thumbv6m-none-eabi compiler emits non-constant time assembly when using cmovnz
Showing 12 of 125 recorded CWE-208 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-208 vulnerabilitiesWhat can happen when CWE-208 is exploited.
Read Application Data, Bypass Protection Mechanism
Affects: Confidentiality, Access Control
Typically introduced during these phases of the software lifecycle.
Illustrative examples from MITRE showing how the weakness appears in code.
Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.
Vulnerable example
assign check_pass[3:0] = 4'b0;Safe example
assign check_pass[3:0] = 4'b0;In this example, the attacker observes how long an authentication takes when the user types in the correct password.
Vulnerable example
def validate_password(actual_pw, typed_pw):Real CVEs that MITRE cites as examples of this weakness.
CAPEC attack patterns that exploit this weakness.
Common questions about CWE-208.
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
125 recorded CVEs are attributed to CWE-208, including CVE-2023-41313, CVE-2026-41588, CVE-2026-23519.
Exploiting CWE-208 can lead to: Read Application Data, Bypass Protection Mechanism.
125 recorded CVEs are caused by CWE-208; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-208 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.