Synced 18 Jun 2026 05:58 UTC Account
← All products

CVE-2026-5295

HIGH severity · CVSS 8 · CWE-121
8CVSS HIGH

Summary

A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer (oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsed OID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData message with an ORI recipient containing an OID longer than 32 bytes triggers a stack buffer overflow. Exploitation requires the library to be built with --enable-pkcs7 (disabled by default) and the application to have registered an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb().

Impact & exploitability

Attack vectorAdjacent
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)0%

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products we track (1)

wolfSSL

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/wolfSSL/wolfssl/pull/10116 ↗

Additional information