Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 024

AES-CBC

Reviewed byCybersecurity entrepreneur & security researcher

What is AES-CBC?

AES-CBCAn unauthenticated block-cipher mode that chains AES encryption with the previous ciphertext block; vulnerable to padding-oracle attacks when used without a MAC.


AES-CBC (Cipher Block Chaining) is a legacy mode defined in NIST SP 800-38A where each 128-bit plaintext block is XORed with the previous ciphertext block before AES encryption, using a random IV for the first block. CBC provides confidentiality but no integrity, so it must be wrapped with a separate MAC in an encrypt-then-MAC construction. PKCS#7-padded CBC is notoriously vulnerable to padding-oracle attacks (BEAST, Lucky 13, POODLE), which have been weaponised against TLS, IPsec, and disk encryption. Modern standards favour AEAD modes such as AES-GCM or ChaCha20-Poly1305 over plain CBC, though CBC remains common in TLS 1.0/1.1 legacy stacks.

The padding-oracle class of attacks was introduced by Serge Vaudenay in 2002: if a server reveals — through an error message, response timing or behavioural difference — whether decrypted PKCS#7 padding is valid, an attacker can recover plaintext byte-by-byte without ever knowing the key. The pattern reappeared as POODLE (CVE-2014-3566) against SSL 3.0, Lucky 13 (CVE-2013-0169) as a timing side channel in the TLS MAC-then-encrypt construction, and BEAST (CVE-2011-3389), which exploited TLS 1.0's predictable chained IV. CBC is also malleable: flipping a bit in a ciphertext block flips the corresponding plaintext bit in the next block, so without integrity protection an attacker can tamper with messages undetected.

Correct usage therefore demands a random, unpredictable IV per message and encrypt-then-MAC integrity (standardised for TLS in RFC 7366), not the legacy MAC-then-encrypt ordering. CBC still appears in IPsec, SSH and older TLS deployments, but TLS 1.3 removed every CBC cipher suite, mandating AEAD instead. When refactoring legacy systems, replace AES-CBC + HMAC with a single AEAD primitive (AES-GCM, AES-GCM-SIV or ChaCha20-Poly1305) to eliminate the padding-oracle and MAC-ordering footguns in one step.

flowchart LR
  IV[Random IV] --> X1((XOR))
  P1[Plaintext block 1] --> X1
  X1 --> E1[AES encrypt] --> C1[Cipher block 1]
  C1 --> X2((XOR))
  P2[Plaintext block 2] --> X2
  X2 --> E2[AES encrypt] --> C2[Cipher block 2]

Examples

  1. 01

    AES-256-CBC with HMAC-SHA256 in older TLS 1.0/1.1 cipher suites.

  2. 02

    BitLocker XTS-AES replaced AES-CBC for full-disk encryption due to malleability.

Frequently asked questions

What is AES-CBC?

An unauthenticated block-cipher mode that chains AES encryption with the previous ciphertext block; vulnerable to padding-oracle attacks when used without a MAC. It belongs to the Cryptography category of cybersecurity.

What does AES-CBC mean?

An unauthenticated block-cipher mode that chains AES encryption with the previous ciphertext block; vulnerable to padding-oracle attacks when used without a MAC.

How do you defend against AES-CBC?

Defences for AES-CBC typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for AES-CBC?

Common alternative names include: Cipher Block Chaining, AES-128-CBC, AES-256-CBC.

Related terms