Description
A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.
Published: 2026-03-19
Score: 2.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stack Buffer Overflow
Action: Immediate Patch
AI Analysis

Impact

A stack buffer overflow exists in the PKCS7 SignedData encoding routine of wolfSSL. In wc_PKCS7_BuildSignedAttributes() the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining space in the fixed-size signedAttribs[7] array. When an application supplies a signedAttribsSz that exceeds the allowed maximum, the function writes beyond the bounds of the local stack buffer, causing stack memory corruption. In builds configured for a small stack, this can become heap corruption. The overflow is classified as CWE‑121 and CWE‑787. The severity is low (CVSS 2.2) but the corruption may lead to program crashes or, potentially, arbitrary code execution if the overflow is exploited to hijack control flow – an inference drawn from typical consequences of such memory violations.

Affected Systems

The vulnerability affects all releases of the wolfSSL library that include the PKCS7 signing functions and have not yet applied the patch introduced in pull request 9630. No specific version range is provided in the CVE data, so the risk applies to any pre‑patched build of wolfSSL.

Risk and Exploitability

The CVSS score is 2.2, indicating low severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that an application accepts untrusted input that controls the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related functions. Therefore the attack vector is application‑driven, contingent on handling of external attribute data. If such input is not validated, the attacker could trigger the overflow, potentially crashing the process or, less directly, using the memory corruption to influence program execution.

Generated by OpenCVE AI on March 19, 2026 at 18:50 UTC.

Remediation

Vendor Solution

Update to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded.

Vendor Workaround

Ensure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size.

OpenCVE Recommended Actions

  • Apply the patched version of wolfSSL that adds bounds checking in wc_PKCS7_BuildSignedAttributes().
  • Validate the custom signed attribute count in application code: enforce that signedAttribsSz does not exceed MAX_SIGNED_ATTRIBS_SZ minus the number of default signed attributes.

Generated by OpenCVE AI on March 19, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 19 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.
Title Stack buffer overflow in PKCS7 SignedData encoding with custom signed attributes
Weaknesses CWE-121
CWE-787
References
Metrics cvssV4_0

{'score': 2.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-03-19T17:19:37.134Z

Reserved: 2026-01-09T17:04:43.340Z

Link: CVE-2026-0819

cve-icon Vulnrichment

Updated: 2026-03-19T17:19:29.637Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T17:16:21.657

Modified: 2026-03-20T13:39:46.493

Link: CVE-2026-0819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:06:49Z

Weaknesses