Too Long; Didn't Read
The issue described in this CVE uses a timing-based side-channel to execute an oracle attack against the hash verification. Or in more plain words: this attack uses the fact that the comparison may take different times based on the content, to construct a valid signature even without knowing the key.