CWE-385: Covert Timing Channel
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
Last updated
Overview
In some instances, knowing when data is transmitted between parties can provide a malicious user with privileged information. Also, externally monitoring the timing of operations can potentially reveal sensitive data. For example, a cryptographic operation can expose its internal state if the time it takes to perform the operation varies, based on the state. Covert channels are frequently classified as either storage or timing channels. Some examples of covert timing channels are the system's paging rate, the time a certain transaction requires to execute, and the time it takes to gain access to a shared bus.
Real-world CVEs
36 recorded CVEs are caused by CWE-385 (Covert Timing Channel). The highest-severity and most recent are shown first. 4 new CWE-385 CVEs have been recorded so far in 2026 (8 in 2025).
- CVE-2020-35166Critical · CVSS 9.8 · EPSS 51th2022-07-11
- CVE-2020-29506Critical · CVSS 9.8 · EPSS 61th2022-07-11
- CVE-2026-5598
Non-constant time comparisons risk private key leakage in FrodoKEM.
High · CVSS 8.9 · EPSS 49th2026-04-15 - CVE-2026-6478
PostgreSQL discloses MD5-hashed passwords via covert timing channel
High · CVSS 8.2 · EPSS 43th2026-05-14 - CVE-2020-35164High · CVSS 8.1 · EPSS 53th2022-07-11
- CVE-2023-3640
Kernel: x86/mm: a per-cpu entry area leak was identified through the init_cea_offsets function when prefetchnta and prefetcht2 instructions being used for the per-cpu entry area mapping to the user space
High · CVSS 7.8 · EPSS 51th2023-07-24 - CVE-2025-59425
vLLM vulnerable to timing attack at bearer auth
High · CVSS 7.5 · EPSS 41th2025-10-07 - CVE-2024-25964High · CVSS 7.5 · EPSS 48th2024-03-25
- CVE-2022-24409High · CVSS 7.5 · EPSS 62th2022-02-23
- CVE-2020-25658High · CVSS 7.5 · EPSS 74th2020-11-12
- CVE-2019-3732High · CVSS 7.5 · EPSS 70th2019-09-30
- CVE-2025-0306
Ruby: openssl: ruby marvin attack
High · CVSS 7.4 · EPSS 46th2025-01-09
Showing 12 of 36 recorded CWE-385 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-385 vulnerabilitiesCommon consequences
What can happen when CWE-385 is exploited.
Read Application Data, Other
Affects: Confidentiality, Other
Information exposure.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-385, grouped by where in the lifecycle they apply.
Whenever possible, specify implementation strategies that do not introduce time variances in operations.
Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker.
It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
Vulnerable example
def validate_password(actual_pw, typed_pw):Terminology & mappings
Mapped taxonomies
- Landwehr: Timing
- CLASP: Covert Timing Channel
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-385.
- What is CWE-385?
- Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
- What CVEs are caused by CWE-385?
- 36 recorded CVEs are attributed to CWE-385, including CVE-2020-35166, CVE-2020-29506, CVE-2026-5598.
- How do you prevent CWE-385?
- Whenever possible, specify implementation strategies that do not introduce time variances in operations.
- What are the consequences of CWE-385?
- Exploiting CWE-385 can lead to: Read Application Data, Other.
- Is CWE-385 actively exploited?
- 36 recorded CVEs are caused by CWE-385; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-385) (opens in a new tab)
- CWE-385 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-385
Get alerted the moment a new CWE-385 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.